summary refs log tree commit diff stats
path: root/results/classifier/105/other/1919035
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/105/other/1919035')
-rw-r--r--results/classifier/105/other/1919035150
1 files changed, 150 insertions, 0 deletions
diff --git a/results/classifier/105/other/1919035 b/results/classifier/105/other/1919035
new file mode 100644
index 00000000..0adc8421
--- /dev/null
+++ b/results/classifier/105/other/1919035
@@ -0,0 +1,150 @@
+other: 0.622
+KVM: 0.620
+graphic: 0.618
+mistranslation: 0.582
+device: 0.545
+instruction: 0.504
+semantic: 0.499
+boot: 0.499
+assembly: 0.456
+network: 0.445
+socket: 0.444
+vnc: 0.436
+
+Assertion failure in fifo8_pop_buf() through am53c974
+
+Hello,
+
+Using hypervisor fuzzer, hyfuzz, I found an assertion failure through am53c974 emulator.
+
+A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service.
+
+This was found in version 5.2.0 (master, 3f8d1885e4)
+
+
+```
+qemu-system-i386: ../util/fifo8.c:73: fifo8_pop_buf: Assertion `max > 0 && max <= fifo->num' failed.
+
+#0  0x00007ffff0218fb7 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
+#1  0x00007ffff021a921 in __GI_abort () at abort.c:79
+#2  0x00007ffff020a48a in __assert_fail_base (fmt=0x7ffff0391750 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x555558ed24a0 "max > 0 && max <= fifo->num", file=file@entry=0x555558ed2380 "../util/fifo8.c", line=line@entry=0x49, function=function@entry=0x555558ed24e0 <__PRETTY_FUNCTION__.16603> "fifo8_pop_buf") at assert.c:92
+#3  0x00007ffff020a502 in __GI___assert_fail (assertion=assertion@entry=0x555558ed24a0 "max > 0 && max <= fifo->num", file=file@entry=0x555558ed2380 "../util/fifo8.c", line=line@entry=0x49, function=function@entry=0x555558ed24e0 <__PRETTY_FUNCTION__.16603> "fifo8_pop_buf") at assert.c:101
+#4  0x000055555877519a in fifo8_pop_buf (fifo=fifo@entry=0x61f000005200, max=max@entry=0xff, num=num@entry=0x7fff72bfa550) at ../util/fifo8.c:73
+#5  0x00005555572b7d9a in do_cmd (s=s@entry=0x61f000005088) at ../hw/scsi/esp.c:328
+#6  0x00005555572b879a in esp_do_nodma (s=s@entry=0x61f000005088) at ../hw/scsi/esp.c:701
+#7  0x00005555572bfd79 in handle_ti (s=0x61f000005088) at ../hw/scsi/esp.c:848
+#8  0x00005555572c419c in esp_reg_write (s=0x61f000005088, saddr=saddr@entry=0x3, val=<optimized out>) at ../hw/scsi/esp.c:987
+#9  0x0000555557bb916a in esp_pci_io_write (opaque=0x61f000004680, addr=<optimized out>, val=<optimized out>, size=<optimized out>) at ../hw/scsi/esp-pci.c:214
+#10 0x000055555817ea28 in memory_region_write_accessor (mr=0x61f000004f70, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at ../softmmu/memory.c:491
+#11 0x0000555558176671 in access_with_adjusted_size (addr=addr@entry=0xc, value=value@entry=0x7fff72bfb2a8, size=size@entry=0x1, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=
+    0x55555817e7c0 <memory_region_write_accessor>, mr=0x61f000004f70, attrs=...) at ../softmmu/memory.c:552
+#12 0x00005555581892aa in memory_region_dispatch_write (mr=mr@entry=0x61f000004f70, addr=<optimized out>, data=<optimized out>, data@entry=0x10, op=op@entry=MO_8, attrs=..., attrs@entry=...) at ../softmmu/memory.c:1508
+#13 0x0000555558024b66 in address_space_stb (as=<optimized out>, addr=<optimized out>, val=<optimized out>, attrs=..., result=0x0) at /home/cwmyung/prj/hyfuzz/src/qemu-master/memory_ldst.c.inc:382
+#14 0x00007fff93236d3c in code_gen_buffer ()
+#15 0x0000555557e793bb in cpu_tb_exec (tb_exit=<optimized out>, itb=<optimized out>, cpu=0x62e0000004b4) at ../accel/tcg/cpu-exec.c:190
+#16 0x0000555557e793bb in cpu_loop_exec_tb (tb_exit=<optimized out>, last_tb=<optimized out>, tb=<optimized out>, cpu=0x62e0000004b4) at ../accel/tcg/cpu-exec.c:673
+#17 0x0000555557e793bb in cpu_exec (cpu=cpu@entry=0x62e000000400) at ../accel/tcg/cpu-exec.c:798
+#18 0x0000555557f5fc5a in tcg_cpus_exec (cpu=cpu@entry=0x62e000000400) at ../accel/tcg/tcg-accel-ops.c:68
+#19 0x00005555582260af in mttcg_cpu_thread_fn (arg=arg@entry=0x62e000000400) at ../accel/tcg/tcg-accel-ops-mttcg.c:70
+#20 0x0000555558777b05 in qemu_thread_start (args=<optimized out>) at ../util/qemu-thread-posix.c:521
+#21 0x00007ffff05d26db in start_thread (arg=0x7fff72bff700) at pthread_create.c:463
+#22 0x00007ffff02fb71f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
+```
+
+
+To reproduce the assertion failure, please run the QEMU with the following command line.
+
+```
+
+$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img
+
+```
+
+Please let me know if I can provide any further info.
+
+Thank you.
+
+- Cheolwoo, Myung (Seoul National University)
+
+
+
+QTest reproducer:
+
+/*
+ * Autogenerated Fuzzer Test Case
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or
+ * later. See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "libqos/libqtest.h"
+
+/*
+ * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \
+ * -m 4G -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
+ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
+ * outl 0xcf8 0x80001004
+ * outw 0xcfc 0x01
+ * outl 0xcf8 0x8000100e
+ * outl 0xcfc 0x8a000000
+ * outl 0x8a09 0x42000000
+ * outl 0x8a0d 0x00
+ * outl 0x8a0b 0x1000
+ * EOF
+ */
+static void test_fuzz(void)
+{
+    QTestState *s = qtest_init(
+        "-display none , -m 4G -device am53c974,id=scsi -device "
+        "scsi-hd,drive=disk0 -drive "
+        "id=disk0,if=none,file=null-co://,format=raw -nodefaults");
+    qtest_outl(s, 0xcf8, 0x80001004);
+    qtest_outw(s, 0xcfc, 0x01);
+    qtest_outl(s, 0xcf8, 0x8000100e);
+    qtest_outl(s, 0xcfc, 0x8a000000);
+    qtest_outl(s, 0x8a09, 0x42000000);
+    qtest_outl(s, 0x8a0d, 0x00);
+    qtest_outl(s, 0x8a0b, 0x1000);
+    qtest_quit(s);
+}
+int main(int argc, char **argv)
+{
+    const char *arch = qtest_get_arch();
+
+    g_test_init(&argc, &argv, NULL);
+
+    if (strcmp(arch, "i386") == 0) {
+        qtest_add_func("fuzz/test_fuzz", test_fuzz);
+    }
+
+    return g_test_run();
+}
+
+
+Thank you both for the reproducers. Please see the proposed patchset here:
+
+https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06063.html
+
+
+This is fixed now, thank you Mark.
+
+Patchset v4:
+https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
+
+Upstream commits:
+https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f48
+https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae
+https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577c
+https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bb
+https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51
+https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e721
+https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2ed
+https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f
+https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8
+https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d
+https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba
+
+I'm not able to change the status of this bug anymore. It should have been closed as "Fix committed" - QEMU 6.0.0 is not yet released.
+