1 files changed, 73 insertions, 0 deletions

diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/1393.toml b/gitlab/issues/target_missing/host_missing/accel_missing/1393.toml
new file mode 100644
index 00000000..a9799d67
--- /dev/null
+++ b/gitlab/issues/target_missing/host_missing/accel_missing/1393.toml
@@ -0,0 +1,73 @@
+id = 1393
+title = "Abort in audio_calloc()  of ac97"
+state = "closed"
+created_at = "2022-12-25T12:05:43.116Z"
+closed_at = "2022-12-28T08:22:16.002Z"
+labels = []
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1393"
+host-os = "Ubuntu 20.04"
+host-arch = "x86"
+qemu-version = "7.0.94"
+guest-os = "Buildroot Linux"
+guest-arch = "x86"
+description = """Section 5.10.2 of the AC97 specification (https://hands.com/~lkcl/ac97_r23.pdf)
+shows the feasibility to support for rates other than 48kHZ. Specifically,
+AC97_PCM_Front_DAC_Rate (reg 2Ch) should be from 8kHZ to 48kHZ.
+
+
+An adversary can leverage this to crash QEMU.
+
+A nornal 48kHZ setting is like this.
+
+```
+ac97_realize
+  open_voice
+    as->freq = 0xbb80 # 0xbb80=48000
+    AUD_open_out
+      audio_pcm_create_voice_pair_out (sw is NULL)
+        audio_pcm_sw_init_out
+          sw->info.freq = as->freq (in audio_pcm_init_info())
+          sw->ratio = ((int64_t) sw->hw->info.freq << 32) / sw->info.freq
+          samples = ((int64_t) sw->HWBUF->size << 32) / sw->ratio (in audio_pcm_sw_alloc_resources_out())
+```
+
+A non-48kHZ setting is like this. Since `as->freq` is too small, `sw->ratio` is
+too large. Finally, `samples` is zero, failing the audio_calloc() in
+audio_pcm_sw_alloc_resources_out().
+
+```
+nam_writew
+  open_voice
+    as->freq = 0x6
+    AUD_open_out
+      audio_pcm_sw_init_out (sw is not NULL)
+        sw->info.freq = as->freq (in audio_pcm_init_info())
+        sw->ratio = ((int64_t) sw->hw->info.freq << 32) / sw->info.freq
+        samples = ((int64_t) sw->HWBUF->size << 32) / sw->ratio (in audio_pcm_sw_alloc_resources_out())
+        audio_calloc(.., samples, ) (in audio_pcm_sw_alloc_resources_out())
+```"""
+reproduce = """1. download the prepared rootfs and the image.
+
+    https://drive.google.com/file/d/1IfVCvn76HY-Eb4AZU7yvuyPzM3QC1q10/view?usp=sharing
+    https://drive.google.com/file/d/1JN6JgvOSI5aSLIdTEFKiskKbrGWFo0BO/view?usp=sharing
+
+2. run the following script.
+
+``` bash
+QEMU_PATH=../../../qemu-devel/build/x86_64-softmmu/qemu-system-x86_64
+KERNEL_PATH=./bzImage
+ROOTFS_PATH=./rootfs.ext2
+$QEMU_PATH \\
+    -M q35 -m 1G \\
+    -kernel $KERNEL_PATH \\
+    -drive file=$ROOTFS_PATH,if=virtio,format=raw \\
+    -append "root=/dev/vda console=ttyS0" \\
+    -net nic,model=virtio -net user \\
+    -device ac97,audiodev=snd0 -audiodev none,id=snd0 \\
+    -nographic
+```
+
+3. with spawned shell (the user is root and the password is empty), run
+`ac97-00`."""
+additional = """In the latest QEMU, this issue was generally fixed by 12f4abf6a245c43d8411577fd400373c85f08c6b and 0cbc8bd4694f32687bf47c6da48efa48fac35fd2 that remove abort() from the source code. Even though, I still plan to send a
+patch so that the warning about the invalid freq will be gone."""