summary refs log tree commit diff stats
path: root/results/classifier/118/ppc/1837094
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/ppc/1837094')
-rw-r--r--results/classifier/118/ppc/183709463
1 files changed, 63 insertions, 0 deletions
diff --git a/results/classifier/118/ppc/1837094 b/results/classifier/118/ppc/1837094
new file mode 100644
index 00000000..9dc222d5
--- /dev/null
+++ b/results/classifier/118/ppc/1837094
@@ -0,0 +1,63 @@
+ppc: 0.839
+device: 0.780
+network: 0.733
+semantic: 0.679
+graphic: 0.677
+user-level: 0.652
+risc-v: 0.644
+hypervisor: 0.627
+socket: 0.620
+PID: 0.620
+register: 0.605
+debug: 0.553
+files: 0.544
+i386: 0.544
+kernel: 0.544
+permissions: 0.542
+VMM: 0.540
+x86: 0.538
+vnc: 0.531
+KVM: 0.530
+arm: 0.515
+boot: 0.492
+architecture: 0.481
+mistranslation: 0.463
+TCG: 0.446
+virtual: 0.442
+peripherals: 0.440
+performance: 0.380
+assembly: 0.356
+
+UndefinedBehaviorSanitizer crash around slirp::ip_reass()
+
+tag: v4.1.0-rc1
+
+./configure --enable-sanitizers --extra-cflags=-O1
+
+==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000046d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130)
+==26130==The signal is caused by a WRITE memory access.
+==26130==Hint: address points to the zero page.
+    #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55
+    #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9
+    #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18
+
+I only had access to the last packet which isn't the culprit, I'm now seeing how to log the network traffic of the guest to provide more useful information.
+
+Recent libslirp patch 126c04ac (explained in e0be8043) changed ip_reass(), so this bug might be fixed.
+
+https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04ac
+https://gitlab.freedesktop.org/slirp/libslirp/commit/e0be8043
+
+And
+
+https://gitlab.freedesktop.org/slirp/libslirp/commit/d203c81b
+
+I apologize for not understanding this bug was a security issue, and not insisting on it.
+
+It has been fixed in SLiRP by "Fix use-afte-free in ip_reass() (CVE-2020-1983)":
+https://gitlab.freedesktop.org/slirp/libslirp/commit/9bd6c591
+
+And in QEMU by commit 7769c23774 "slirp: update to fix CVE-2020-1983".
+
+Fixed in QEMU release v5.0.0
+