summary refs log tree commit diff stats
path: root/results/classifier/118/assembly-x86
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/assembly-x86')
-rw-r--r--results/classifier/118/assembly-x86/137774
-rw-r--r--results/classifier/118/assembly-x86/1824344118
2 files changed, 192 insertions, 0 deletions
diff --git a/results/classifier/118/assembly-x86/1377 b/results/classifier/118/assembly-x86/1377
new file mode 100644
index 00000000..5f1dd9fc
--- /dev/null
+++ b/results/classifier/118/assembly-x86/1377
@@ -0,0 +1,74 @@
+x86: 0.997
+i386: 0.900
+assembly: 0.847
+architecture: 0.838
+device: 0.773
+vnc: 0.768
+graphic: 0.742
+kernel: 0.698
+ppc: 0.615
+risc-v: 0.554
+debug: 0.506
+boot: 0.462
+socket: 0.412
+permissions: 0.405
+arm: 0.386
+TCG: 0.372
+PID: 0.328
+KVM: 0.326
+semantic: 0.321
+performance: 0.309
+network: 0.279
+VMM: 0.264
+hypervisor: 0.205
+virtual: 0.186
+peripherals: 0.177
+files: 0.113
+register: 0.113
+mistranslation: 0.073
+user-level: 0.021
+--------------------
+x86: 1.000
+i386: 0.977
+assembly: 0.946
+debug: 0.242
+kernel: 0.071
+TCG: 0.049
+semantic: 0.042
+risc-v: 0.034
+virtual: 0.033
+user-level: 0.033
+register: 0.029
+hypervisor: 0.027
+files: 0.025
+performance: 0.024
+device: 0.012
+PID: 0.012
+network: 0.012
+architecture: 0.010
+peripherals: 0.009
+boot: 0.005
+permissions: 0.003
+socket: 0.002
+VMM: 0.001
+graphic: 0.001
+vnc: 0.001
+KVM: 0.001
+mistranslation: 0.001
+ppc: 0.000
+arm: 0.000
+
+x86 CVT* series instructions fault
+Description of problem:
+For example, CVTSD2SS instruction converts SRC[63:0] double precision floating point to DEST[31:0] single precision floating point. Although the CVTSD2SS instruction uses only 8 bytes, if it overlaps page boundary, I think QEMU tries to access over the valid memory and crashes.
+Steps to reproduce:
+1. Compile this code
+```
+void main() {
+    mmap(0x555555559000, 0x1000, flag, ~~, 0);
+    asm("cvtsd2ss xmm1, qword ptr [0x555555559ff8]");
+}
+```
+2. Execute. QEMU crashes but CPU does not.
+Additional information:
+This bug is discovered by research conducted by KAIST SoftSec.
diff --git a/results/classifier/118/assembly-x86/1824344 b/results/classifier/118/assembly-x86/1824344
new file mode 100644
index 00000000..0de0a16c
--- /dev/null
+++ b/results/classifier/118/assembly-x86/1824344
@@ -0,0 +1,118 @@
+x86: 0.950
+i386: 0.943
+kernel: 0.896
+assembly: 0.842
+architecture: 0.838
+ppc: 0.779
+register: 0.635
+device: 0.543
+semantic: 0.396
+PID: 0.373
+files: 0.369
+network: 0.367
+socket: 0.356
+risc-v: 0.322
+performance: 0.315
+boot: 0.303
+virtual: 0.252
+vnc: 0.251
+permissions: 0.246
+graphic: 0.236
+debug: 0.226
+arm: 0.215
+mistranslation: 0.196
+user-level: 0.196
+TCG: 0.164
+hypervisor: 0.151
+VMM: 0.151
+peripherals: 0.114
+KVM: 0.008
+--------------------
+x86: 0.996
+debug: 0.929
+i386: 0.906
+virtual: 0.269
+assembly: 0.120
+files: 0.033
+kernel: 0.017
+hypervisor: 0.016
+semantic: 0.012
+PID: 0.010
+user-level: 0.007
+architecture: 0.007
+performance: 0.007
+network: 0.006
+graphic: 0.005
+TCG: 0.004
+register: 0.004
+socket: 0.002
+device: 0.002
+boot: 0.002
+VMM: 0.001
+ppc: 0.001
+permissions: 0.001
+KVM: 0.001
+peripherals: 0.001
+vnc: 0.000
+mistranslation: 0.000
+risc-v: 0.000
+arm: 0.000
+
+x86: retf or iret pagefault sets wrong error code
+
+With a x86_64 or i386 guest, non-KVM, when trying to execute a
+"iret/iretq/retf" instruction in userspace with invalid stack pointer
+(under a protected mode OS, like Linux), wrong bits are set in the
+pushed error code; bit 2 is not set, indicating the error comes from
+kernel space.
+
+If the guest OS is using this flag to decide whether this was a kernel
+or user page fault, it will mistakenly decide a kernel has irrecoverably
+faulted, possibly causing guest OS panic.
+
+
+How to reproduce the problem a guest (non-KVM) Linux:
+Note, on recent Linux kernel version, this needs a CPU with SMAP support
+(eg. -cpu max)
+
+$ cat tst.c
+int main()
+{
+__asm__ volatile (
+"mov $0,%esp\n"
+"retf"
+);
+return 0;
+}
+
+$ gcc tst.c
+$ ./a.out
+Killed
+
+
+"dmesg" shows the kernel has in fact triggered a "BUG: unable to handle
+kernel NULL pointer dereference...", but it has "recovered" by killing
+the faulting process (see attached screenshot).
+
+
+Using self-compiled qemu from git:
+commit 532cc6da74ec25b5ba6893b5757c977d54582949 (HEAD -> master, tag: v4.0.0-rc3, origin/master, origin/HEAD)
+Author: Peter Maydell <email address hidden>
+Date:   Wed Apr 10 15:38:59 2019 +0100
+
+    Update version for v4.0.0-rc3 release
+    
+    Signed-off-by: Peter Maydell <email address hidden>
+
+
+
+This appears to be similar to https://bugs.launchpad.net/qemu/+bug/1866892 (and much simpler)
+
+
+This is an automated cleanup. This bug report has been moved to QEMU's
+new bug tracker on gitlab.com and thus gets marked as 'expired' now.
+Please continue with the discussion here:
+
+ https://gitlab.com/qemu-project/qemu/-/issues/265
+
+