summary refs log tree commit diff stats
path: root/results/classifier/118/permissions/1913916
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/permissions/1913916')
-rw-r--r--results/classifier/118/permissions/1913916106
1 files changed, 106 insertions, 0 deletions
diff --git a/results/classifier/118/permissions/1913916 b/results/classifier/118/permissions/1913916
new file mode 100644
index 00000000..50a452a4
--- /dev/null
+++ b/results/classifier/118/permissions/1913916
@@ -0,0 +1,106 @@
+permissions: 0.859
+device: 0.853
+register: 0.846
+hypervisor: 0.810
+virtual: 0.808
+performance: 0.805
+mistranslation: 0.800
+peripherals: 0.791
+risc-v: 0.788
+arm: 0.787
+x86: 0.786
+TCG: 0.783
+semantic: 0.776
+i386: 0.773
+debug: 0.769
+vnc: 0.766
+architecture: 0.765
+graphic: 0.758
+user-level: 0.740
+assembly: 0.737
+ppc: 0.735
+PID: 0.732
+kernel: 0.724
+files: 0.722
+VMM: 0.713
+KVM: 0.689
+socket: 0.669
+boot: 0.661
+network: 0.598
+
+aarch64-virt: heap-buffer-overflow in address_space_lookup_region
+
+Reproducer:
+cat << EOF | ./qemu-system-aarch64 \
+-machine virt,accel=qtest -qtest stdio
+writel 0x8000f00 0xff4affb0
+writel 0x8000f00 0xf2f8017f
+writeq 0x801000e 0x5a5a5a6c8ff7004b
+writeq 0x8010010 0x5a5a5a5a73ba2f00
+writel 0x8000000 0x3bf5a03
+writel 0x8000000 0x3bf5a03
+writeq 0x8010000 0x10ffff03fbffffff
+writel 0x8000f1f 0x5a55fc00
+readl 0x8011f00
+readl 0x80000d3
+readl 0x80000d3
+clock_step
+writeq 0x4010008004 0x4604fffdffc54c01
+writeq 0x4010008002 0xf7478b3f5aff5a55
+writel 0x8000f00 0x2d6954
+writel 0x800005a 0x2706fcf
+readq 0x800002c
+readw 0x9000004
+readq 0x800002c
+writeq 0x801000e 0x5555017f00017f00
+writew 0x8010000 0x55
+writew 0x8010000 0x465a
+writew 0x8010000 0x55
+writew 0x8010000 0xaf00
+writeq 0x8010015 0x3b5a5a5555460000
+writeq 0x8010015 0xd546002b2b000000
+writeq 0x8010015 0xc44ea5aaaab9ffff
+readq 0x8000a5a
+EOF
+
+Stacktrace:
+==638893==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000022b84 at pc 0x55915c484d92 bp 0x7ffcde114a00 sp 0x7ffcde1149f8
+READ of size 2 at 0x629000022b84 thread T0
+    #0 0x55915c484d91 in address_space_lookup_region /home/alxndr/Development/qemu/build/../softmmu/physmem.c:345:36
+    #1 0x55915c484d91 in address_space_translate_internal /home/alxndr/Development/qemu/build/../softmmu/physmem.c:359:15
+    #2 0x55915c481d90 in flatview_do_translate /home/alxndr/Development/qemu/build/../softmmu/physmem.c:497:15
+    #3 0x55915c48214e in flatview_translate /home/alxndr/Development/qemu/build/../softmmu/physmem.c:563:15
+    #4 0x55915c107ff9 in address_space_read /home/alxndr/Development/qemu/include/exec/memory.h:2477:18
+    #5 0x55915c107ff9 in qtest_process_command /home/alxndr/Development/qemu/build/../softmmu/qtest.c:572:13
+    #6 0x55915c102b97 in qtest_process_inbuf /home/alxndr/Development/qemu/build/../softmmu/qtest.c:797:9
+    #7 0x55915c953286 in fd_chr_read /home/alxndr/Development/qemu/build/../chardev/char-fd.c:68:9
+    #8 0x7f02be25daae in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51aae)
+    #9 0x55915cfae363 in glib_pollfds_poll /home/alxndr/Development/qemu/build/../util/main-loop.c:232:9
+    #10 0x55915cfae363 in os_host_main_loop_wait /home/alxndr/Development/qemu/build/../util/main-loop.c:255:5
+    #11 0x55915cfae363 in main_loop_wait /home/alxndr/Development/qemu/build/../util/main-loop.c:531:11
+    #12 0x55915c069599 in qemu_main_loop /home/alxndr/Development/qemu/build/../softmmu/runstate.c:721:9
+    #13 0x55915a2f61fd in main /home/alxndr/Development/qemu/build/../softmmu/main.c:50:5
+    #14 0x7f02bdd02cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
+    #15 0x55915a249bc9 in _start (/home/alxndr/Development/qemu/build/qemu-system-aarch64+0x3350bc9)
+
+0x629000022b84 is located 660 bytes to the right of 18160-byte region [0x62900001e200,0x6290000228f0)
+allocated by thread T0 here:
+    #0 0x55915a2c3c3d in malloc (/home/alxndr/Development/qemu/build/qemu-system-aarch64+0x33cac3d)
+    #1 0x7f02be263a88 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57a88)
+    #2 0x55915c932cbd in qdev_new /home/alxndr/Development/qemu/build/../hw/core/qdev.c:153:19
+    #3 0x55915b559360 in create_gic /home/alxndr/Development/qemu/build/../hw/arm/virt.c:631:16
+    #4 0x55915b5449d2 in machvirt_init /home/alxndr/Development/qemu/build/../hw/arm/virt.c:1966:5
+    #5 0x55915a62bac0 in machine_run_board_init /home/alxndr/Development/qemu/build/../hw/core/machine.c:1169:5
+    #6 0x55915c02b8d8 in qemu_init_board /home/alxndr/Development/qemu/build/../softmmu/vl.c:2455:5
+    #7 0x55915c02b8d8 in qmp_x_exit_preconfig /home/alxndr/Development/qemu/build/../softmmu/vl.c:2526:5
+    #8 0x55915c035d91 in qemu_init /home/alxndr/Development/qemu/build/../softmmu/vl.c:3533:9
+    #9 0x55915a2f61f8 in main /home/alxndr/Development/qemu/build/../softmmu/main.c:49:5
+    #10 0x7f02bdd02cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
+
+Fix for this 13+ years old issue:
+https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07969.html
+
+This is a duplicate of the rather simpler bug 1913917. The overrun occurs on the first 
+writel 0x8000f00 0xff4affb0, which corrupts memory and eventually results in the crash described in the backtrace. I'm not sure why the fuzzer isn't just reporting the original overrun.
+
+