diff options
Diffstat (limited to 'results/classifier/105/other/1909247')
| -rw-r--r-- | results/classifier/105/other/1909247 | 1605 |
1 files changed, 1605 insertions, 0 deletions
diff --git a/results/classifier/105/other/1909247 b/results/classifier/105/other/1909247 new file mode 100644 index 00000000..09f743d8 --- /dev/null +++ b/results/classifier/105/other/1909247 @@ -0,0 +1,1605 @@ +other: 0.886 +graphic: 0.876 +assembly: 0.875 +semantic: 0.869 +socket: 0.865 +device: 0.859 +vnc: 0.858 +instruction: 0.854 +network: 0.831 +mistranslation: 0.831 +KVM: 0.816 +boot: 0.744 + +QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c + +A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. + +This issue was reported by Cheolwoo Myung (Seoul National University). + +Original report: +Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in +am53c974 emulator of QEMU enabled ASan. + +It occurs while transferring information, as it does not check the +buffer to be transferred. + +A malicious guest user/process could use this flaw to crash the QEMU +process resulting in DoS scenario. + +To reproduce this issue, please run the QEMU with the following command +line. + +# To enable ASan option, please set configuration with the following +$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers +$ make + +# To reproduce this issue, please run the QEMU process with the following command line +$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ +-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ +-drive id=SysDisk,if=none,file=./disk.img + +Please find attached the disk images to reproduce this issue. + + + +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909996 + +Looks the same, or very similar to this one: +/* + * Autogenerated Fuzzer Test Case + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \ + * -m 4G -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc046 0x02 + * outl 0xc03f 0x0300 + * outw 0xc00b 0x4300 + * outl 0xc00b 0x9000 + * EOF + */ +static void test_fuzz(void) +{ + QTestState *s = qtest_init( + "-display none , -m 4G -device am53c974,id=scsi -device " + "scsi-hd,drive=disk0 -drive " + "id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc046, 0x02); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outw(s, 0xc00b, 0x4300); + qtest_outl(s, 0xc00b, 0x9000); + qtest_quit(s); +} +int main(int argc, char **argv) +{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0) { + qtest_add_func("fuzz/test_fuzz", test_fuzz); + } + + return g_test_run(); +} + +Technically, the first one is a heap use-after-free, while the second a stack buffer overflow. They could be two different manifestations of the same issue; they both originate from handle_ti() and the root cause may be the same. + +Heap uaf: +================================================================= +==129653==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000b5000 at pc 0x7f0c3d947dd3 bp 0x7f0c13bfdac0 sp 0x7f0c13bfd270 +READ of size 27 at 0x6290000b5000 thread T7 + #0 0x7f0c3d947dd2 in __interceptor_memcpy (/lib64/libasan.so.6+0x39dd2) + #1 0x562c1c7292b2 in flatview_write_continue softmmu/physmem.c:2781 + #2 0x562c1c729589 in flatview_write softmmu/physmem.c:2816 + #3 0x562c1c729ef7 in address_space_write softmmu/physmem.c:2908 + #4 0x562c1c729faf in address_space_rw softmmu/physmem.c:2918 + #5 0x562c1c217754 in dma_memory_rw_relaxed include/sysemu/dma.h:8 + #6 0x562c1c2177a1 in dma_memory_rw include/sysemu/dma.h:127 + #7 0x562c1c21791b in pci_dma_rw include/hw/pci/pci.h:803 + #8 0x562c1c21b6e3 in esp_pci_dma_memory_rw hw/scsi/esp-pci.c:283 + #9 0x562c1c21ba6e in esp_pci_dma_memory_write hw/scsi/esp-pci.c:302 + #10 0x562c1c428685 in esp_do_dma hw/scsi/esp.c:526 + #11 0x562c1c429cb5 in handle_ti hw/scsi/esp.c:629 + ... + +Stack bof: +================================================================= +==138588==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc8a90c300 at pc 0x559b1de0780e bp 0x7ffc8a90bd10 sp 0x7ffc8a90bd08 +WRITE of size 4 at 0x7ffc8a90c300 thread T0 + #0 0x559b1de0780d in stl_he_p include/qemu/bswap.h:353 + #1 0x559b1de07dec in stn_he_p include/qemu/bswap.h:486 + #2 0x559b1de23e47 in flatview_read_continue softmmu/physmem.c:2841 + #3 0x559b1de24215 in flatview_read softmmu/physmem.c:2879 + #4 0x559b1de243b5 in address_space_read_full softmmu/physmem.c:2892 + #5 0x559b1de2462c in address_space_rw softmmu/physmem.c:2920 + #6 0x559b1d1ec514 in dma_memory_rw_relaxed include/sysemu/dma.h:88 + #7 0x559b1d1ec561 in dma_memory_rw include/sysemu/dma.h:127 + #8 0x559b1d1ec6db in pci_dma_rw include/hw/pci/pci.h:803 + #9 0x559b1d1f04a3 in esp_pci_dma_memory_rw hw/scsi/esp-pci.c:283 + #10 0x559b1d1f07f8 in esp_pci_dma_memory_read hw/scsi/esp-pci.c:296 + #11 0x559b1d66fab1 in esp_do_dma hw/scsi/esp.c:576 + #12 0x559b1d6746e1 in handle_ti hw/scsi/esp.c:845 + ... + +Note that the use-after-free was found in v5.2.0 and, as far as I can tell, is not reproducible anymore on master. The ESP/NCR53C9x emulator (hw/scsi/esp.c) underwent several changes since v5.2.0. By git-bisecting, it looks like the original reproducer is neutralized after commit [1]. However, the qtest reproducer (comment #3) seems to be working fine on master as of today. + +[1] https://git.qemu.org/?p=qemu.git;a=commit;h=bb0bc7bbc9764a5e9e81756819838c5db88652b8 + +Hi Mauro, +Oops... I missed that it was a stack-overflow. I went through my list of crashes, and the closest one I can find is a heap UAF, but it is a write, rather than a read: + +/* + * Autogenerated Fuzzer Test Case + * + * Copyright (c) 2021 <name of author> + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \ + * -m 4G -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x05 + * outb 0xc046 0x02 + * outl 0xc00b 0xc100 + * outl 0xc040 0x03 + * outl 0xc040 0x03 + * write 0x0 0x1 0x41 + * outl 0xc00b 0xc100 + * outw 0xc040 0x02 + * outl 0xc00b 0x9000 + * EOF + */ +static void test_fuzz(void) +{ + QTestState *s = qtest_init( + "-display none , -m 4G -device am53c974,id=scsi -device " + "scsi-hd,drive=disk0 -drive " + "id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x05); + qtest_outb(s, 0xc046, 0x02); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outl(s, 0xc040, 0x03); + qtest_outl(s, 0xc040, 0x03); + qtest_bufwrite(s, 0x0, "\x41", 0x1); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outw(s, 0xc040, 0x02); + qtest_outl(s, 0xc00b, 0x9000); + qtest_quit(s); +} +int main(int argc, char **argv) +{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0) { + qtest_add_func("fuzz/test_fuzz", test_fuzz); + } + + return g_test_run(); +} + + + +Thank you both for the reproducers. Please see the proposed patchset here: + +https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06063.html + + +On Wednesday, 17 March, 2021, 10:26:36 pm IST, Cheolwoo Myung <email address hidden> wrote: +> Hello PJP, Mauro +> +> Of course. you can post the details with our reproducers. +> I'm glad it helped you. +> +> Thank you. +> - Cheolwoo Myung +> + + +2021년 3월 17일 (수) 오후 10:30, P J P <email address hidden>님이 작성: +> +>On Monday, 15 March, 2021, 07:54:30 pm IST, Mauro Matteo Cascella <email address hidden> wrote: +>>JFYI, CVE-2020-35506 was assigned to a very similar (if not the same) +>>issue, see https://bugs.launchpad.net/qemu/+bug/1909247. +> +> * From the QEMU command lines below they do look similar. +> +> * CVE bug above does not link to an upstream fix/patch. Maybe it's not fixed yet? +> +> +>On Mon, Mar 15, 2021 at 6:58 AM P J P <email address hidden> wrote: +> >On Monday, 15 March, 2021, 11:11:14 am IST, Cheolwoo Myung <email address hidden> wrote: +> >Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. +> > +> ># To reproduce this issue, please run the QEMU process with the following command line. +> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ +> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img +> > +> > +> > Using hypervisor fuzzer, hyfuzz, I found a stack buffer overflow issue in am53c974 emulator of QEMU enabled ASan. +> > +> ># To reproduce this issue, please run the QEMU process with the following command line. +> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ +> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img +> > + +* I was able to reproduce these issues against the latest upstream git source + and following patch helps to fix above two issues. +=== +$ git diff hw/scsi/ +diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c +index c3d3dab05e..4a6f208069 100644 +--- a/hw/scsi/esp-pci.c ++++ b/hw/scsi/esp-pci.c +@@ -98,6 +98,7 @@ static void esp_pci_handle_abort(PCIESPState *pci, uint32_t val) + trace_esp_pci_dma_abort(val); + if (s->current_req) { + scsi_req_cancel(s->current_req); ++ s->async_len = 0; + } + } + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 507ab363bc..99bee7bc66 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -564,7 +564,7 @@ static void esp_do_dma(ESPState *s) + int to_device = ((s->rregs[ESP_RSTAT] & 7) == STAT_DO); + uint8_t buf[ESP_CMDFIFO_SZ]; + +- len = esp_get_tc(s); ++ len = MIN(esp_get_tc(s), sizeof(buf)); + if (s->do_cmd) { + /* +=== + + +> >Using hypervisor fuzzer, hyfuzz, I found a heap buffer overflow issue in am53c974 emulator of QEMU enabled ASan. +> > +> ># To reproduce this issue, please run the QEMU process with the following command line. +> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ +> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img + +* This heap OOB access issue seems to occur because + + static void do_busid_cmd(...) + ... + buf = (uint8_t *)fifo8_pop_buf(&s->cmdfifo, cmdlen, &n); <== + +'buf' points towards an end of the 32 byte buffer allocated via + + static void esp_init(Object *obj) + ... + fifo8_create(&s->cmdfifo, ESP_CMDFIFO_SZ(=32)); <== + +and the OOB access could occur at numerous places, one of which is + +scsi_req_new + -> scsi_req_parse_cdb + -> memcpy(cmd->buf, buf, cmd->len); <== buf=27, cmd->len=6 <= 27+6 exceeds limit 32. + + +* This one is quite tricky to fix. Because 'buf[]' is accessed at various + places with hard coded index values. It's not easy to check access + against 's->cmdfifo' object. + + +@Cheolwoo: is it okay with you if we post above details and your reproducers on the upstream bug + + -> https://bugs.launchpad.net/qemu/+bug/1909247 + +It'll help to discuss/prepare a proper fix patch. + + +Thank you. +--- + -P J P +http://feedmug.com + +Can you confirm that this is fixed in the v2 of the above patchset? + +https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06550.html + + +ATB, + +Mark. + + +Hello, + +Thank you all for your comments. Both patches (PJP/comment#8 - Mark/comment#9) seem to properly fix the UAF reported by Alexander in comment #6. However, I'm still able to reproduce the heap-bof from the above hw-esp-oob-issues.zip: + +./x86_64-softmmu/qemu-system-x86_64 -m 512 \ +-drive file=./atch2/hyfuzz.img,index=0,media=disk,format=raw \ +-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ +-drive id=SysDisk,if=none,file=./atch2/disk.img + + + +Hi, +I can still trigger stack-overflows, heap-UAFs and heap-overflows in the +code, but Mark's patches fixed some of the issues. I didn't want to +flood the issue-tracker with further problems in this code, since it +isn't clear what the security expectations are for this device. Of +course it is only a matter of time until someone sends more reports to +qemu-security. + +Mark, do you want me to provide more reproducers for this device? +-Alex + + + +On 3/24/21 4:53 PM, Alexander Bulekov wrote: +> Hi, +> I can still trigger stack-overflows, heap-UAFs and heap-overflows in the +> code, but Mark's patches fixed some of the issues. I didn't want to +> flood the issue-tracker with further problems in this code, since it +> isn't clear what the security expectations are for this device. Of +> course it is only a matter of time until someone sends more reports to +> qemu-security. + +I'd expect qemu-security to have a template "Thank you for your bug +but this device is not within the 'security' boundary, we will forward +your report to the community". + +> +> Mark, do you want me to provide more reproducers for this device? + +Surely Mark prefers you provide bugfixes instead :D + +Phil. + + +If Alex is interested in having a fuzz-proof device as a starting point for fuzzing QEMU's SCSI layer then I don't mind doing the basic work as I've spent a few months deep in the internals of the ESP controller, and it makes sense to look at this whilst it is all still fresh. I'd say there's at least one more set of ESP changes already waiting for after the 6.0 release. + +PJP: +Your change to esp-pci.c looks like a genuine issue, although there is an inconsistency within ESP as to what determines whether a request is in progress or not. My v2 patchset above uses the request member being non-NULL to indicate a valid request, but this should be made consistent throughout the driver. + +Can you provide a qtest reproducer so that it can be incorporated into the test included in the v2 patchset and also allow me to check that this issue has been fixed? + +Alex: +If you can try PJP's patch to esp-pci.c and if you still see some issues then please update this bug with a test case or two, and I will look at them when I get a moment. + +Mauro: +Thanks for the test case - again I shall look at this when I have some available time. + + +Add some more regression tests for the esp device. + +(Prasad's Patch) +Based-on: <email address hidden> +(Mark's v2 Patchset) +Based-on: <email address hidden> +Signed-off-by: Alexander Bulekov <email address hidden> +--- + +Hi Mark, +Hopefully these are useful. I realized that my previous message was +innacurate (I forgot to apply Prasad's patch, or your v2 +patchset). The only corruptions that I am continuing to see are +heap-overflows. I am guessing that most of these are due to some mututal +root cause, so the number of tests far-exceeds the actual number of +errors, but I am providing all of the crashes with unique-looking +stack-traces, just in case. +Please let me know if I can provide anything else that would help. +-Alex + + tests/qtest/am53c974-test.c | 1137 +++++++++++++++++++++++++++++++++++ + 1 file changed, 1137 insertions(+) + +diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c +index c90bd4c187..cb2a5646a6 100644 +--- a/tests/qtest/am53c974-test.c ++++ b/tests/qtest/am53c974-test.c +@@ -9,6 +9,1125 @@ + + #include "libqos/libqtest.h" + ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outb 0xc000 0x4 ++ * outb 0xc008 0xa0 ++ * outl 0xc03f 0x0300 ++ * outl 0xc00b 0xc300 ++ * outw 0xc00b 0x9000 ++ * outl 0xc00b 0xc300 ++ * outl 0xc00b 0xc300 ++ * outl 0xc00b 0xc300 ++ * outw 0xc00b 0x9000 ++ * outw 0xc00b 0x1000 ++ * EOF ++ */ ++static void crash_0900379669(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outb(s, 0xc000, 0x4); ++ qtest_outb(s, 0xc008, 0xa0); ++ qtest_outl(s, 0xc03f, 0x0300); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outw(s, 0xc00b, 0x9000); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outw(s, 0xc00b, 0x9000); ++ qtest_outw(s, 0xc00b, 0x1000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outl 0xc008 0x20 ++ * outw 0xc000 0x1 ++ * outb 0xc040 0x03 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outw 0xc00b 0x4200 ++ * outl 0xc00a 0x410000 ++ * EOF ++ */ ++static void crash_094661a91b(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outl(s, 0xc008, 0x20); ++ qtest_outw(s, 0xc000, 0x1); ++ qtest_outb(s, 0xc040, 0x03); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outw(s, 0xc00b, 0x4200); ++ qtest_outl(s, 0xc00a, 0x410000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outb 0xc000 0x4 ++ * outl 0xc007 0x8000 ++ * outl 0xc03f 0x0300 ++ * outl 0xc00b 0x4300 ++ * outw 0xc00b 0x9000 ++ * outl 0xc00b 0xc300 ++ * outl 0xc00b 0xc300 ++ * outl 0xc00b 0xc300 ++ * outw 0xc00b 0x9000 ++ * outw 0xc00b 0x1000 ++ * EOF ++ */ ++static void crash_0fff2155cb(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outb(s, 0xc000, 0x4); ++ qtest_outl(s, 0xc007, 0x8000); ++ qtest_outl(s, 0xc03f, 0x0300); ++ qtest_outl(s, 0xc00b, 0x4300); ++ qtest_outw(s, 0xc00b, 0x9000); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outw(s, 0xc00b, 0x9000); ++ qtest_outw(s, 0xc00b, 0x1000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outw 0xc00c 0x41 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x43 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outl 0xc006 0x00 ++ * outl 0xc00b 0x00 ++ * outw 0xc00b 0x0800 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outl 0xc006 0x00 ++ * outl 0xc00b 0x00 ++ * outw 0xc00b 0x0800 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x4100 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x100000 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x43 ++ * outl 0xc00a 0x100000 ++ * outl 0xc00a 0x100000 ++ * EOF ++ */ ++static void crash_1548bd10e7(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outw(s, 0xc00c, 0x41); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x43); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc006, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x0800); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc006, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x0800); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x4100); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x100000); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x43); ++ qtest_outl(s, 0xc00a, 0x100000); ++ qtest_outl(s, 0xc00a, 0x100000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outl 0xc00a 0x420000 ++ * outl 0xc00a 0x430000 ++ * outl 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outb 0xc008 0x00 ++ * outw 0xc00b 0x00 ++ * outb 0xc008 0xa0 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00b 0x00 ++ * outl 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outl 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outl 0xc00b 0x1000 ++ * outw 0xc00b 0x1000 ++ * EOF ++ */ ++static void crash_1afe349482(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outl(s, 0xc00a, 0x420000); ++ qtest_outl(s, 0xc00a, 0x430000); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outb(s, 0xc008, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outb(s, 0xc008, 0xa0); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x1000); ++ qtest_outw(s, 0xc00b, 0x1000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outl 0xc007 0x2000 ++ * outw 0xc00b 0x0100 ++ * outw 0xc00c 0x43 ++ * outl 0xc00a 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00c 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x100000 ++ * outl 0xc00a 0x100000 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x43 ++ * outl 0xc00a 0x100000 ++ * outl 0xc00a 0x100000 ++ * EOF ++ */ ++static void crash_1b42581317(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outl(s, 0xc007, 0x2000); ++ qtest_outw(s, 0xc00b, 0x0100); ++ qtest_outw(s, 0xc00c, 0x43); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x100000); ++ qtest_outl(s, 0xc00a, 0x100000); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x43); ++ qtest_outl(s, 0xc00a, 0x100000); ++ qtest_outl(s, 0xc00a, 0x100000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outl 0xc007 0x1500 ++ * outw 0xc00b 0x4100 ++ * outw 0xc00b 0x4100 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x00 ++ * outw 0xc00b 0x1000 ++ * outw 0xc009 0x00 ++ * outl 0xc00b 0xc000 ++ * outl 0xc00b 0xc000 ++ * outl 0xc00b 0xc000 ++ * outl 0xc00b 0xc000 ++ * outl 0xc00b 0x0 ++ * outl 0xc00b 0xc000 ++ * outl 0xc00b 0xc000 ++ * outl 0xc00b 0xc000 ++ * outl 0xc007 0x00 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x1000 ++ * outl 0xc007 0x00 ++ * outw 0xc00b 0x4100 ++ * EOF ++ */ ++static void crash_30e28cfa86(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outl(s, 0xc007, 0x1500); ++ qtest_outw(s, 0xc00b, 0x4100); ++ qtest_outw(s, 0xc00b, 0x4100); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x1000); ++ qtest_outw(s, 0xc009, 0x00); ++ qtest_outl(s, 0xc00b, 0xc000); ++ qtest_outl(s, 0xc00b, 0xc000); ++ qtest_outl(s, 0xc00b, 0xc000); ++ qtest_outl(s, 0xc00b, 0xc000); ++ qtest_outl(s, 0xc00b, 0x0); ++ qtest_outl(s, 0xc00b, 0xc000); ++ qtest_outl(s, 0xc00b, 0xc000); ++ qtest_outl(s, 0xc00b, 0xc000); ++ qtest_outl(s, 0xc007, 0x00); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x1000); ++ qtest_outl(s, 0xc007, 0x00); ++ qtest_outw(s, 0xc00b, 0x4100); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outb 0xc008 0x42 ++ * outw 0xc00b 0x4100 ++ * outw 0xc00b 0x4100 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x1000 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outl 0xc00b 0x0300 ++ * outw 0xc00b 0x1000 ++ * EOF ++ */ ++static void crash_34093bfc7c(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outb(s, 0xc008, 0x42); ++ qtest_outw(s, 0xc00b, 0x4100); ++ qtest_outw(s, 0xc00b, 0x4100); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x1000); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_outw(s, 0xc00b, 0x1000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outw 0xc000 0x1 ++ * outb 0xc040 0x03 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outw 0xc007 0xa000 ++ * outl 0xc00a 0x410000 ++ * EOF ++ */ ++static void crash_3a05434a1f(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outw(s, 0xc000, 0x1); ++ qtest_outb(s, 0xc040, 0x03); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outw(s, 0xc007, 0xa000); ++ qtest_outl(s, 0xc00a, 0x410000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outw 0xc000 0x01 ++ * outb 0xc040 0x03 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0x4200 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0x4000 ++ * outl 0xc00b 0xc200 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * EOF ++ */ ++static void crash_3ab5744bc3(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outw(s, 0xc000, 0x01); ++ qtest_outb(s, 0xc040, 0x03); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0x4200); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0x4000); ++ qtest_outl(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outl 0xc00b 0x4100 ++ * outw 0xc00b 0xc200 ++ * outl 0xc03f 0x0300 ++ * EOF ++ */ ++static void crash_530ff2e211(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outl(s, 0xc00b, 0x4100); ++ qtest_outw(s, 0xc00b, 0xc200); ++ qtest_outl(s, 0xc03f, 0x0300); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outl 0xc03f 0x0300 ++ * outw 0xc00b 0x4300 ++ * outw 0xc000 0x01 ++ * outw 0xc009 0x00 ++ * outw 0xc00b 0x1000 ++ * outl 0xc00d 0x02000000 ++ * outw 0xc00c 0xc2 ++ * outw 0xc00b 0x4100 ++ * outl 0xc00b 0x1000 ++ * EOF ++ */ ++static void crash_76ab101171(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outl(s, 0xc03f, 0x0300); ++ qtest_outw(s, 0xc00b, 0x4300); ++ qtest_outw(s, 0xc000, 0x01); ++ qtest_outw(s, 0xc009, 0x00); ++ qtest_outw(s, 0xc00b, 0x1000); ++ qtest_outl(s, 0xc00d, 0x02000000); ++ qtest_outw(s, 0xc00c, 0xc2); ++ qtest_outw(s, 0xc00b, 0x4100); ++ qtest_outl(s, 0xc00b, 0x1000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outb 0xc000 0x4 ++ * outw 0xc007 0x4000 ++ * outl 0xc03f 0x0300 ++ * outl 0xc00b 0xc300 ++ * outw 0xc00b 0x9000 ++ * outl 0xc00b 0xc300 ++ * outw 0xc00b 0x9000 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0xc300 ++ * outw 0xc00b 0x9000 ++ * outw 0xc00b 0x1000 ++ * EOF ++ */ ++static void crash_7f743a0082(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outb(s, 0xc000, 0x4); ++ qtest_outw(s, 0xc007, 0x4000); ++ qtest_outl(s, 0xc03f, 0x0300); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outw(s, 0xc00b, 0x9000); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outw(s, 0xc00b, 0x9000); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outw(s, 0xc00b, 0x9000); ++ qtest_outw(s, 0xc00b, 0x1000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outb 0xc000 0x4 ++ * outl 0xc03f 0x0300 ++ * outl 0xc00b 0xc300 ++ * outw 0xc00b 0x9000 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0xc300 ++ * outw 0xc00b 0x9000 ++ * outl 0xc00b 0x00 ++ * outl 0xc00b 0xc300 ++ * outl 0xc00b 0xc300 ++ * outw 0xc00b 0x9000 ++ * outw 0xc00b 0x1000 ++ * EOF ++ */ ++static void crash_87744a2e67(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outb(s, 0xc000, 0x4); ++ qtest_outl(s, 0xc03f, 0x0300); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outw(s, 0xc00b, 0x9000); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outw(s, 0xc00b, 0x9000); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outl(s, 0xc00b, 0xc300); ++ qtest_outw(s, 0xc00b, 0x9000); ++ qtest_outw(s, 0xc00b, 0x1000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outw 0xc00c 0x41 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x43 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00b 0x00 ++ * outw 0xc00c 0x00 ++ * outw 0xc00a 0x00 ++ * outl 0xc00a 0x100000 ++ * outl 0xc00a 0x100000 ++ * outl 0xc00a 0x00 ++ * outw 0xc00c 0x43 ++ * outl 0xc00a 0x100000 ++ * outl 0xc00a 0x100000 ++ * EOF ++ */ ++static void crash_9f92a77bd6(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outw(s, 0xc00c, 0x41); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x43); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00b, 0x00); ++ qtest_outw(s, 0xc00c, 0x00); ++ qtest_outw(s, 0xc00a, 0x00); ++ qtest_outl(s, 0xc00a, 0x100000); ++ qtest_outl(s, 0xc00a, 0x100000); ++ qtest_outl(s, 0xc00a, 0x00); ++ qtest_outw(s, 0xc00c, 0x43); ++ qtest_outl(s, 0xc00a, 0x100000); ++ qtest_outl(s, 0xc00a, 0x100000); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outb 0xc008 0xa ++ * outw 0xc00b 0x4100 ++ * outw 0xc00b 0x4100 ++ * outw 0xc00b 0x1000 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x0400 ++ * outl 0xc00b 0x4200 ++ * EOF ++ */ ++static void crash_d94dc29565(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outb(s, 0xc008, 0xa); ++ qtest_outw(s, 0xc00b, 0x4100); ++ qtest_outw(s, 0xc00b, 0x4100); ++ qtest_outw(s, 0xc00b, 0x1000); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x0400); ++ qtest_outl(s, 0xc00b, 0x4200); ++ qtest_quit(s); ++} ++/* ++ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ ++ * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ ++ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio ++ * outl 0xcf8 0x80001010 ++ * outl 0xcfc 0xc000 ++ * outl 0xcf8 0x80001004 ++ * outw 0xcfc 0x01 ++ * outw 0xc00b 0x4100 ++ * outl 0xc00b 0x0300 ++ * inl 0xc00b ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x0800 ++ * outl 0xc00b 0x00 ++ * outl 0xc00a 0x410000 ++ * EOF ++ */ ++static void crash_df5a21ccf3(void) ++{ ++ QTestState *s = qtest_init( ++ "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " ++ "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); ++ qtest_outl(s, 0xcf8, 0x80001010); ++ qtest_outl(s, 0xcfc, 0xc000); ++ qtest_outl(s, 0xcf8, 0x80001004); ++ qtest_outw(s, 0xcfc, 0x01); ++ qtest_outw(s, 0xc00b, 0x4100); ++ qtest_outl(s, 0xc00b, 0x0300); ++ qtest_inl(s, 0xc00b); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x0800); ++ qtest_outl(s, 0xc00b, 0x00); ++ qtest_outl(s, 0xc00a, 0x410000); ++ qtest_quit(s); ++} + + static void test_cmdfifo_underflow_ok(void) + { +@@ -106,6 +1225,24 @@ int main(int argc, char **argv) + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0) { ++ qtest_add_func("fuzz/crash_0900379669", crash_0900379669); ++ qtest_add_func("fuzz/crash_094661a91b", crash_094661a91b); ++ qtest_add_func("fuzz/crash_0fff2155cb", crash_0fff2155cb); ++ qtest_add_func("fuzz/crash_1548bd10e7", crash_1548bd10e7); ++ qtest_add_func("fuzz/crash_1afe349482", crash_1afe349482); ++ qtest_add_func("fuzz/crash_1b42581317", crash_1b42581317); ++ qtest_add_func("fuzz/crash_30e28cfa86", crash_30e28cfa86); ++ qtest_add_func("fuzz/crash_34093bfc7c", crash_34093bfc7c); ++ qtest_add_func("fuzz/crash_3a05434a1f", crash_3a05434a1f); ++ qtest_add_func("fuzz/crash_3ab5744bc3", crash_3ab5744bc3); ++ qtest_add_func("fuzz/crash_530ff2e211", crash_530ff2e211); ++ qtest_add_func("fuzz/crash_76ab101171", crash_76ab101171); ++ qtest_add_func("fuzz/crash_7f743a0082", crash_7f743a0082); ++ qtest_add_func("fuzz/crash_87744a2e67", crash_87744a2e67); ++ qtest_add_func("fuzz/crash_9f92a77bd6", crash_9f92a77bd6); ++ qtest_add_func("fuzz/crash_d94dc29565", crash_d94dc29565); ++ qtest_add_func("fuzz/crash_dd24c44f80", crash_dd24c44f80); ++ qtest_add_func("fuzz/crash_df5a21ccf3", crash_df5a21ccf3); + qtest_add_func("am53c974/test_cmdfifo_underflow_ok", + test_cmdfifo_underflow_ok); + qtest_add_func("am53c974/test_cmdfifo_overflow_ok", +-- +2.28.0 + + + +Thanks again Alex. I've just posted a v3 to the list which fixes your extra test cases, and also those contained within the uaf and hw-esp-oob attachments: + +https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg00015.html + + +This is fixed now, thank you Mark. + +Patchset v4: +https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html + +Upstream commits: +https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f48 +https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae +https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577c +https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bb +https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51 +https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e721 +https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2ed +https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f +https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8 +https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d +https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba + |