summary refs log tree commit diff stats
path: root/results/classifier/118/none/1462944
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/none/1462944')
-rw-r--r--results/classifier/118/none/146294459
1 files changed, 59 insertions, 0 deletions
diff --git a/results/classifier/118/none/1462944 b/results/classifier/118/none/1462944
new file mode 100644
index 00000000..8b41278e
--- /dev/null
+++ b/results/classifier/118/none/1462944
@@ -0,0 +1,59 @@
+performance: 0.548
+graphic: 0.437
+device: 0.396
+semantic: 0.383
+ppc: 0.249
+mistranslation: 0.215
+PID: 0.198
+architecture: 0.122
+virtual: 0.118
+register: 0.117
+user-level: 0.105
+vnc: 0.103
+x86: 0.094
+socket: 0.094
+arm: 0.093
+network: 0.091
+debug: 0.074
+kernel: 0.073
+assembly: 0.069
+i386: 0.069
+risc-v: 0.063
+permissions: 0.058
+files: 0.055
+VMM: 0.044
+boot: 0.041
+peripherals: 0.040
+TCG: 0.040
+hypervisor: 0.036
+KVM: 0.028
+
+vpc file causes qemu-img to consume lots of time and memory
+
+The attached vpc file causes 'qemu-img info' to consume 3 or 4 seconds of CPU time and 1.3 GB of heap, causing a minor denial of service.
+
+$ /usr/bin/time ~/d/qemu/qemu-img info afl12.img
+block-vpc: The header checksum of 'afl12.img' is incorrect.
+qemu-img: Could not open 'afl12.img': block-vpc: free_data_block_offset points after the end of file. The image has been truncated.
+1.19user 3.15system 0:04.35elapsed 99%CPU (0avgtext+0avgdata 1324504maxresident)k
+0inputs+0outputs (0major+327314minor)pagefaults 0swaps
+
+The file was found using american-fuzzy-lop.
+
+
+
+This slightly modified example takes about 7 seconds and 2 GB of heap:
+
+$ /usr/bin/time ~/d/qemu/qemu-img info /mnt/scratch/afl13.img 
+block-vpc: The header checksum of '/mnt/scratch/afl13.img' is incorrect.
+qemu-img: Could not open '/mnt/scratch/afl13.img': block-vpc: free_data_block_offset points after the end of file. The image has been truncated.
+1.84user 5.72system 0:07.59elapsed 99%CPU (0avgtext+0avgdata 2045496maxresident)k
+8inputs+0outputs (0major+507536minor)pagefaults 0swaps
+
+
+Is there still something left to do here, or could we close this ticket nowadays?
+
+I suspect this bug is probably still around, and if not then this class of bugs is certainly still around.  What we have done in management tools like Open Stack is to confine qemu-img using simple ulimits when inspecting any untrusted image, and that solves the problem so it's probably fine to close this bug now.
+
+[Expired for QEMU because there has been no activity for 60 days.]
+