summary refs log tree commit diff stats
path: root/results/classifier/118/none/1882065
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/none/1882065')
-rw-r--r--results/classifier/118/none/188206567
1 files changed, 67 insertions, 0 deletions
diff --git a/results/classifier/118/none/1882065 b/results/classifier/118/none/1882065
new file mode 100644
index 00000000..e4d36b6f
--- /dev/null
+++ b/results/classifier/118/none/1882065
@@ -0,0 +1,67 @@
+ppc: 0.770
+graphic: 0.749
+performance: 0.722
+network: 0.716
+device: 0.712
+mistranslation: 0.709
+semantic: 0.692
+register: 0.664
+vnc: 0.659
+socket: 0.636
+kernel: 0.615
+architecture: 0.613
+peripherals: 0.560
+files: 0.558
+PID: 0.547
+arm: 0.543
+risc-v: 0.532
+x86: 0.532
+permissions: 0.525
+VMM: 0.525
+debug: 0.519
+hypervisor: 0.512
+TCG: 0.509
+i386: 0.493
+boot: 0.487
+user-level: 0.444
+KVM: 0.422
+assembly: 0.342
+virtual: 0.306
+
+Could this cause OOB bug ?
+
+In function megasas_handle_scsi(hw/scsi/megasas.c):
+
+```c
+static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
+                               int frame_cmd)
+{
+    ............................................................................
+    cdb = cmd->frame->pass.cdb;
+    target_id = cmd->frame->header.target_id;
+    lun_id = cmd->frame->header.lun_id;
+    cdb_len = cmd->frame->header.cdb_len;
+    ............................................................................
+    if (cdb_len > 16) {
+        trace_megasas_scsi_invalid_cdb_len(
+                mfi_frame_desc[frame_cmd], is_logical,
+                target_id, lun_id, cdb_len);
+        megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
+        cmd->frame->header.scsi_status = CHECK_CONDITION;
+        s->event_count++;
+        return MFI_STAT_SCSI_DONE_WITH_ERROR;
+    }
+}
+```
+
+Two variables, frame_cmd and cdb_len, can be controlled by guest os. So can mfi_frame_desc[frame_cmd] cause OOB bug ?
+
+QEMU emulator version 5.0.50 (v5.0.0-533-gdebe78ce14-dirty)
+
+You must start the trace function of QEMU to trigger this BUG!
+
+I think we should fix this anyway, even if it can only be triggered when trace functions are enabled
+
+Fix has been included:
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ee760ac80ac1f1
+