summary refs log tree commit diff stats
path: root/results/classifier/118/device/2268
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/device/2268')
-rw-r--r--results/classifier/118/device/226873
1 files changed, 73 insertions, 0 deletions
diff --git a/results/classifier/118/device/2268 b/results/classifier/118/device/2268
new file mode 100644
index 00000000..483ec6b0
--- /dev/null
+++ b/results/classifier/118/device/2268
@@ -0,0 +1,73 @@
+device: 0.934
+risc-v: 0.925
+ppc: 0.913
+arm: 0.913
+debug: 0.910
+register: 0.907
+kernel: 0.902
+assembly: 0.902
+network: 0.900
+PID: 0.896
+permissions: 0.895
+performance: 0.892
+boot: 0.883
+files: 0.880
+peripherals: 0.879
+TCG: 0.858
+architecture: 0.857
+graphic: 0.855
+user-level: 0.837
+socket: 0.826
+semantic: 0.784
+hypervisor: 0.736
+vnc: 0.729
+mistranslation: 0.716
+x86: 0.666
+virtual: 0.662
+i386: 0.638
+VMM: 0.585
+KVM: 0.556
+
+Out of bounds access in smc91c111_readb()
+Description of problem:
+I detected an out-of-bounds access in smc91c111_readb with my fuzzer.
+
+Stack trace (part):\
+`hw/net/smc91c111.c:607:24: runtime error: index 175 out of bounds for`\
+`type 'uint8_t[4][2048]' (aka 'unsigned char[4][2048]')`\
+`SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior`\
+`hw/net/smc91c111.c:607:24 in`\
+`AddressSanitizer:DEADLYSIGNAL`\
+`==============================`<wbr>`==============================`<wbr>`=====`\
+`==397944==ERROR: AddressSanitizer: SEGV on unknown address`\
+`0x629000077db4 (pc 0x56272aed3b8d bp 0x7ffd1471f290 sp 0x7ffd1471ea20`\
+`T0)`\
+`==397944==The signal is caused by a READ memory access.`\
+    `#0 0x56272aed3b8d in smc91c111_readb hw/net/smc91c111.c:607:24`\
+    `#1 0x56272aecfd61 in smc91c111_readfn hw/net/smc91c111.c:650:16`\
+    `#2 0x56272d4b228b in memory_region_read_accessor system/memory.c:445:11`\
+    `#3 0x56272d46fb85 in access_with_adjusted_size system/memory.c:573:18`\
+    `#4 0x56272d46c58e in memory_region_dispatch_read1 system/memory.c:1426:16`\
+    `#5 0x56272d46bcd7 in memory_region_dispatch_read system/memory.c:1459:9`\
+    `#6 0x56272d4e8e03 in flatview_read_continue_step system/physmem.c:2794:18`\
+    `#7 0x56272d4e871e in flatview_read_continue system/physmem.c:2835:19`\
+    `#8 0x56272d4e98b8 in flatview_read system/physmem.c:2865:12`\
+    `#9 0x56272d4e9388 in address_space_read_full system/physmem.c:2878:18`\
+    `#10 0x56272d6e7840 in address_space_read include/exec/memory.h:3026:18`\
+`...`\
+Bug analysis: I found s-\>packet_num = 175 at line 599.
+Steps to reproduce:
+Reproducer:\
+export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine\
+mainstone"\
+cat \<\< EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio\
+outl 0xcf8 0x80000010\
+outl 0xcfc 0x10000300\
+outl 0xcf8 0x80000004\
+outl 0xcfc 0x07\
+writel 0x1000030c 0x66027cd6\
+writel 0x10000300 0x64af8eda\
+readw 0x10000308\
+EOF
+Additional information:
+Ack: Chuhong Yuan (hslester96@gmail.com)