diff options
Diffstat (limited to 'results/classifier/105/other/1878134')
| -rw-r--r-- | results/classifier/105/other/1878134 | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/results/classifier/105/other/1878134 b/results/classifier/105/other/1878134 new file mode 100644 index 00000000..cee77cff --- /dev/null +++ b/results/classifier/105/other/1878134 @@ -0,0 +1,109 @@ +other: 0.973 +device: 0.969 +assembly: 0.942 +mistranslation: 0.935 +semantic: 0.930 +instruction: 0.926 +network: 0.921 +graphic: 0.920 +vnc: 0.898 +socket: 0.894 +boot: 0.880 +KVM: 0.818 + +Assertion failures in ati_reg_read_offs/ati_reg_write_offs + +Hello, +While fuzzing, I found inputs that trigger assertion failures in +ati_reg_read_offs/ati_reg_write_offs + +uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 && length > 0 && length <= 32 - start' failed + +#3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556e760c0 <str> "start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> "/home/alxndr/Development/qemu/include/qemu/bitops.h", line=0x12c, function=0x555556e76180 <__PRETTY_FUNCTION__.extract32> "uint32_t extract32(uint32_t, int, int)") at assert.c:101 +#4 0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/Development/qemu/include/qemu/log-for-trace.h:29 +#5 0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/Development/qemu/hw/display/ati.c:289 +#6 0x000055555601446e in memory_region_read_accessor (mr=0x63100004dc20, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:434 +#7 0x0000555556001a70 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x63100004dc20, attrs=...) at /home/alxndr/Development/qemu/memory.c:544 +#8 0x0000555556001a70 in memory_region_dispatch_read1 (mr=0x63100004dc20, addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at /home/alxndr/Development/qemu/memory.c:1396 + + +I can reproduce it in qemu 5.0 built with using: +cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none +outl 0xcf8 0x80001018 +outl 0xcfc 0xe2000000 +outl 0xcf8 0x8000101c +outl 0xcf8 0x80001004 +outw 0xcfc 0x7 +outl 0xcf8 0x8000fa20 +write 0xe2000004 0x1 0x1a +readq 0xe2000000 +EOF + +Similarly for ati_reg_write_offs: +cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none +outl 0xcf8 0x80001018 +outl 0xcfc 0xe2000000 +outl 0xcf8 0x8000101c +outl 0xcf8 0x80001004 +outw 0xcfc 0x7 +outl 0xcf8 0x8000fa20 +write 0xe2000000 0x8 0x6a00000000006a00 +EOF + +I also attached the traces to this launchpad report, in case the formatting is broken: + +qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none < attachment + +Please let me know if I can provide any further info. +-Alex + + + + + +Hello, +Please disregard this - I submitted it to the wrong launchpad site + +Hello Alexander, + +I believe your fuzz test result was meant to the upstream project so I moved it. + +o/ + +On Fri, 15 May 2020, Launchpad Bug Tracker wrote: +> You have been subscribed to a public bug by Philippe Mathieu-Daudé (philmd): +> +> Hello, +> While fuzzing, I found inputs that trigger assertion failures in +> ati_reg_read_offs/ati_reg_write_offs +> +> uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 && length +>> 0 && length <= 32 - start' failed +> +> #3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556e760c0 <str> "start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> "/home/alxndr/Development/qemu/include/qemu/bitops.h", line=0x12c, function=0x555556e76180 <__PRETTY_FUNCTION__.extract32> "uint32_t extract32(uint32_t, int, int)") at assert.c:101 +> #4 0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/Development/qemu/include/qemu/log-for-trace.h:29 +> #5 0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/Development/qemu/hw/display/ati.c:289 +> #6 0x000055555601446e in memory_region_read_accessor (mr=0x63100004dc20, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:434 +> #7 0x0000555556001a70 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x63100004dc20, attrs=...) at /home/alxndr/Development/qemu/memory.c:544 +> #8 0x0000555556001a70 in memory_region_dispatch_read1 (mr=0x63100004dc20, addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at /home/alxndr/Development/qemu/memory.c:1396 + +Here's a stack trace with --enable debug which is more useful: + +#4 0x0000555555b39464 in extract32 (value=0, start=16, length=32) at /home/balaton/src/qemu/include/qemu/bitops.h:300 +#5 0x0000555555b3a45f in ati_reg_read_offs (reg=0, offs=2, size=4) at hw/display/ati.c:269 +#6 0x0000555555b3a9f1 in ati_mm_read (opaque=0x555556f35610, addr=26, size=4) at hw/display/ati.c:299 +#7 0x0000555555b3a988 in ati_mm_read (opaque=0x555556f35610, addr=4, size=4) at hw/display/ati.c:290 + +It's trying to do an indexed read via MM_DATA reg of the middle of reg +0x18 BIOS_2_SCRATCH which ends up calling ati_reg_read_offs with out of +bound values. Maybe we should clamp size somewhere. + +Regards, +BALATON Zoltan + +Sent patch that should fix this: +https://<email address hidden>/ + + +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=b0588cb51da698671 + |