summary refs log tree commit diff stats
path: root/results/classifier/118/none/1393
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--results/classifier/118/none/139395
-rw-r--r--results/classifier/118/none/139348649
2 files changed, 144 insertions, 0 deletions
diff --git a/results/classifier/118/none/1393 b/results/classifier/118/none/1393
new file mode 100644
index 00000000..0fb5373f
--- /dev/null
+++ b/results/classifier/118/none/1393
@@ -0,0 +1,95 @@
+TCG: 0.534
+user-level: 0.454
+VMM: 0.443
+vnc: 0.418
+virtual: 0.414
+permissions: 0.391
+assembly: 0.377
+graphic: 0.370
+hypervisor: 0.368
+performance: 0.363
+network: 0.357
+KVM: 0.353
+peripherals: 0.352
+device: 0.350
+x86: 0.350
+semantic: 0.346
+arm: 0.343
+PID: 0.341
+ppc: 0.339
+debug: 0.336
+register: 0.328
+risc-v: 0.327
+boot: 0.322
+kernel: 0.318
+architecture: 0.306
+mistranslation: 0.271
+files: 0.269
+i386: 0.248
+socket: 0.238
+
+Abort in audio_calloc()  of ac97
+Description of problem:
+Section 5.10.2 of the AC97 specification (https://hands.com/~lkcl/ac97_r23.pdf)
+shows the feasibility to support for rates other than 48kHZ. Specifically,
+AC97_PCM_Front_DAC_Rate (reg 2Ch) should be from 8kHZ to 48kHZ.
+
+
+An adversary can leverage this to crash QEMU.
+
+A nornal 48kHZ setting is like this.
+
+```
+ac97_realize
+  open_voice
+    as->freq = 0xbb80 # 0xbb80=48000
+    AUD_open_out
+      audio_pcm_create_voice_pair_out (sw is NULL)
+        audio_pcm_sw_init_out
+          sw->info.freq = as->freq (in audio_pcm_init_info())
+          sw->ratio = ((int64_t) sw->hw->info.freq << 32) / sw->info.freq
+          samples = ((int64_t) sw->HWBUF->size << 32) / sw->ratio (in audio_pcm_sw_alloc_resources_out())
+```
+
+A non-48kHZ setting is like this. Since `as->freq` is too small, `sw->ratio` is
+too large. Finally, `samples` is zero, failing the audio_calloc() in
+audio_pcm_sw_alloc_resources_out().
+
+```
+nam_writew
+  open_voice
+    as->freq = 0x6
+    AUD_open_out
+      audio_pcm_sw_init_out (sw is not NULL)
+        sw->info.freq = as->freq (in audio_pcm_init_info())
+        sw->ratio = ((int64_t) sw->hw->info.freq << 32) / sw->info.freq
+        samples = ((int64_t) sw->HWBUF->size << 32) / sw->ratio (in audio_pcm_sw_alloc_resources_out())
+        audio_calloc(.., samples, ) (in audio_pcm_sw_alloc_resources_out())
+```
+Steps to reproduce:
+1. download the prepared rootfs and the image.
+
+    https://drive.google.com/file/d/1IfVCvn76HY-Eb4AZU7yvuyPzM3QC1q10/view?usp=sharing
+    https://drive.google.com/file/d/1JN6JgvOSI5aSLIdTEFKiskKbrGWFo0BO/view?usp=sharing
+
+2. run the following script.
+
+``` bash
+QEMU_PATH=../../../qemu-devel/build/x86_64-softmmu/qemu-system-x86_64
+KERNEL_PATH=./bzImage
+ROOTFS_PATH=./rootfs.ext2
+$QEMU_PATH \
+    -M q35 -m 1G \
+    -kernel $KERNEL_PATH \
+    -drive file=$ROOTFS_PATH,if=virtio,format=raw \
+    -append "root=/dev/vda console=ttyS0" \
+    -net nic,model=virtio -net user \
+    -device ac97,audiodev=snd0 -audiodev none,id=snd0 \
+    -nographic
+```
+
+3. with spawned shell (the user is root and the password is empty), run
+`ac97-00`.
+Additional information:
+In the latest QEMU, this issue was generally fixed by 12f4abf6a245c43d8411577fd400373c85f08c6b and 0cbc8bd4694f32687bf47c6da48efa48fac35fd2 that remove abort() from the source code. Even though, I still plan to send a
+patch so that the warning about the invalid freq will be gone.
diff --git a/results/classifier/118/none/1393486 b/results/classifier/118/none/1393486
new file mode 100644
index 00000000..e403e30c
--- /dev/null
+++ b/results/classifier/118/none/1393486
@@ -0,0 +1,49 @@
+vnc: 0.774
+device: 0.719
+performance: 0.711
+register: 0.679
+mistranslation: 0.671
+socket: 0.656
+network: 0.608
+ppc: 0.579
+virtual: 0.537
+graphic: 0.505
+kernel: 0.504
+VMM: 0.442
+files: 0.440
+semantic: 0.407
+permissions: 0.401
+hypervisor: 0.383
+PID: 0.368
+peripherals: 0.342
+boot: 0.320
+i386: 0.319
+KVM: 0.313
+risc-v: 0.307
+TCG: 0.305
+architecture: 0.301
+arm: 0.288
+debug: 0.266
+x86: 0.211
+user-level: 0.144
+assembly: 0.068
+
+hw/virtio/virtio-rng.c:150: bad test ?
+
+hw/virtio/virtio-rng.c:150:31: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses]
+
+    if (!vrng->conf.period_ms > 0) {
+        error_setg(errp, "'period' parameter expects a positive integer");
+        return;
+    }
+
+Maybe better code
+
+    if (vrng->conf.period_ms <= 0) {
+        error_setg(errp, "'period' parameter expects a positive integer");
+        return;
+    }
+
+Fixed here:
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=a3a292c420d2fec3c07
+