summary refs log tree commit diff stats
path: root/results/classifier/105/other/1908369
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/105/other/1908369')
-rw-r--r--results/classifier/105/other/1908369129
1 files changed, 129 insertions, 0 deletions
diff --git a/results/classifier/105/other/1908369 b/results/classifier/105/other/1908369
new file mode 100644
index 00000000..a4bdfe4d
--- /dev/null
+++ b/results/classifier/105/other/1908369
@@ -0,0 +1,129 @@
+other: 0.771
+graphic: 0.713
+instruction: 0.694
+semantic: 0.648
+assembly: 0.640
+boot: 0.639
+device: 0.634
+network: 0.632
+socket: 0.532
+mistranslation: 0.518
+KVM: 0.472
+vnc: 0.444
+
+deleted
+
+Hello,
+
+An heap-use-after-free issue was found in hw/net/eepro100.c:616 in latest version 5.2.0.
+
+This issue was found when I was debugging Qemu in monitor. When I attach An eepro100 NIC, and reload the snapshot, the use-after-free triggers.
+
+Qemu boot command is as follows:
+./qemu-5.2.0-rc4/build/qemu-system-x86_64 -enable-kvm -boot c -m 2G -drive format=qcow2,file=./ubuntu.img -display none -monitor stdio
+(qemu) device_add i82559a,id=eepro
+(qemu) device_del eepro
+(qemu) savevm tag0
+(qemu) loadvm tag0
+
+
+Backtrace is as follows:
+=================================================================
+==32048==ERROR: AddressSanitizer: heap-use-after-free on address 0x6280000449f0 at pc 0x7f751f5eed1a bp 0x7ffcd01f2cf0 sp 0x7ffcd01f2498
+WRITE of size 8 at 0x6280000449f0 thread T0
+    #0 0x7f751f5eed19  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
+    #1 0x55948f3c9287 in nic_reset ../hw/net/eepro100.c:616
+    #2 0x5594900f481a in qemu_devices_reset ../hw/core/reset.c:69
+    #3 0x55948fae72e7 in pc_machine_reset ../hw/i386/pc.c:1615
+    #4 0x55948fda10af in qemu_system_reset ../softmmu/vl.c:1405
+    #5 0x55948f1ce8ed in load_snapshot ../migration/savevm.c:3008
+    #6 0x55948f7420e9 in hmp_loadvm ../monitor/hmp-cmds.c:1133
+    #7 0x55948f7e4319 in handle_hmp_command ../monitor/hmp.c:1100
+    #8 0x55948f7dbf1f in monitor_command_cb ../monitor/hmp.c:47
+    #9 0x559490599854 in readline_handle_byte ../util/readline.c:408
+    #10 0x55948f7e635a in monitor_read ../monitor/hmp.c:1340
+    #11 0x5594900c25c5 in qemu_chr_be_write_impl ../chardev/char.c:201
+    #12 0x5594900c266b in qemu_chr_be_write ../chardev/char.c:213
+    #13 0x5594900df9ce in fd_chr_read ../chardev/char-fd.c:68
+    #14 0x55949011f217 in qio_channel_fd_source_dispatch ../io/channel-watch.c:84
+    #15 0x7f751e056284 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
+    #16 0x559490580e97 in glib_pollfds_poll ../util/main-loop.c:221
+    #17 0x559490580fb3 in os_host_main_loop_wait ../util/main-loop.c:244
+    #18 0x55949058124f in main_loop_wait ../util/main-loop.c:520
+    #19 0x55948fda1e53 in qemu_main_loop ../softmmu/vl.c:1678
+    #20 0x55948f183c76 in main ../softmmu/main.c:50
+    #21 0x7f751a8e3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
+    #22 0x55948f183b69 in _start (/home/zjusvn/qemu5-hypervisor/qemu-5.2.0-rc4/build/qemu-system-x86_64+0x19c6b69)
+
+0x6280000449f0 is located 2288 bytes inside of 15616-byte region [0x628000044100,0x628000047e00)
+freed by thread T1 here:
+    #0 0x7f751f66e7a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
+    #1 0x5594900ade06 in object_finalize ../qom/object.c:689
+    #2 0x5594900b04fe in object_unref ../qom/object.c:1183
+    #3 0x5594900eae68 in bus_free_bus_child ../hw/core/qdev.c:56
+    #4 0x55949055d2d7 in call_rcu_thread ../util/rcu.c:281
+    #5 0x5594905ad296 in qemu_thread_start ../util/qemu-thread-posix.c:521
+    #6 0x7f751acba6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
+
+previously allocated by thread T0 here:
+    #0 0x7f751f66eb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
+    #1 0x7f751e05bab8 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51ab8)
+    #2 0x5594900ae04f in object_new ../qom/object.c:744
+    #3 0x5594900ec0c3 in qdev_new ../hw/core/qdev.c:154
+    #4 0x55948f37b084 in qdev_device_add ../softmmu/qdev-monitor.c:654
+    #5 0x55948f37c36d in qmp_device_add ../softmmu/qdev-monitor.c:805
+    #6 0x55948f37cd40 in hmp_device_add ../softmmu/qdev-monitor.c:916
+    #7 0x55948f7e4319 in handle_hmp_command ../monitor/hmp.c:1100
+    #8 0x55948f7dbf1f in monitor_command_cb ../monitor/hmp.c:47
+    #9 0x559490599854 in readline_handle_byte ../util/readline.c:408
+    #10 0x55948f7e635a in monitor_read ../monitor/hmp.c:1340
+    #11 0x5594900c25c5 in qemu_chr_be_write_impl ../chardev/char.c:201
+    #12 0x5594900c266b in qemu_chr_be_write ../chardev/char.c:213
+    #13 0x5594900df9ce in fd_chr_read ../chardev/char-fd.c:68
+    #14 0x55949011f217 in qio_channel_fd_source_dispatch ../io/channel-watch.c:84
+    #15 0x7f751e056284 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
+
+Thread T1 created by T0 here:
+    #0 0x7f751f5c7d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
+    #1 0x5594905ad673 in qemu_thread_create ../util/qemu-thread-posix.c:558
+    #2 0x55949055d8f0 in rcu_init_complete ../util/rcu.c:379
+    #3 0x55949055dab9 in rcu_init ../util/rcu.c:435
+    #4 0x55949068e5dc in __libc_csu_init (/home/zjusvn/qemu5-hypervisor/qemu-5.2.0-rc4/build/qemu-system-x86_64+0x2ed15dc)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
+Shadow bytes around the buggy address:
+  0x0c50800008e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c50800008f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c5080000900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c5080000910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c5080000920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+=>0x0c5080000930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
+  0x0c5080000940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c5080000950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c5080000960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c5080000970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c5080000980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==32048==ABORTING
+
+
+Thanks.
+