diff options
Diffstat (limited to 'results/classifier/118/unknown/1908513')
| -rw-r--r-- | results/classifier/118/unknown/1908513 | 98 |
1 files changed, 0 insertions, 98 deletions
diff --git a/results/classifier/118/unknown/1908513 b/results/classifier/118/unknown/1908513 deleted file mode 100644 index 46edff22..00000000 --- a/results/classifier/118/unknown/1908513 +++ /dev/null @@ -1,98 +0,0 @@ -hypervisor: 0.902 -KVM: 0.865 -ppc: 0.858 -vnc: 0.847 -user-level: 0.838 -TCG: 0.831 -i386: 0.831 -x86: 0.829 -peripherals: 0.818 -VMM: 0.817 -virtual: 0.796 -graphic: 0.784 -risc-v: 0.780 -performance: 0.777 -register: 0.775 -device: 0.759 -permissions: 0.758 -mistranslation: 0.756 -debug: 0.755 -semantic: 0.741 -assembly: 0.732 -files: 0.731 -architecture: 0.729 -boot: 0.727 -socket: 0.724 -kernel: 0.711 -PID: 0.709 -arm: 0.707 -network: 0.706 - -assertion failure in mptsas1068 emulator - -Using hypervisor fuzzer, hyfuzz, I found an assertion failure through mptsas1068 emulator. - -A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service. - -This was found in version 5.2.0 (master) - - -qemu-system-i386: ../hw/scsi/mptsas.c:968: void mptsas_interrupt_status_write(MPTSASState *): Assertion -`s->intr_status & MPI_HIS_DOORBELL_INTERRUPT' failed. -[1] 16951 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-5.2/build/qemu-system-i386 -m 512 -drive - -Program terminated with signal SIGABRT, Aborted. -#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 -51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. -[Current thread is 1 (Thread 0x7fc7d6023700 (LWP 23475))] -gdb-peda$ bt -#0 0x00007fc7efa13f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 -#1 0x00007fc7efa158b1 in __GI_abort () at abort.c:79 -#2 0x00007fc7efa0542a in __assert_fail_base (fmt=0x7fc7efb8ca38 "%s%s%s:%u: %s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x56439214d593 "s->intr_status & MPI_HIS_DOORBELL_INTERRUPT", file=file@entry=0x56439214d4a7 "../hw/scsi/mptsas.c", line=line@entry=0x3c8, function=function@entry=0x56439214d81c "void mptsas_interrupt_status_write(MPTSASState *)") at assert.c:92 -#3 0x00007fc7efa054a2 in __GI___assert_fail (assertion=0x56439214d593 "s->intr_status & MPI_HIS_DOORBELL_INTERRUPT", file=0x56439214d4a7 "../hw/scsi/mptsas.c", line=0x3c8, function=0x56439214d81c "void mptsas_interrupt_status_write(MPTSASState *)") at assert.c:101 -#4 0x0000564391a43963 in mptsas_interrupt_status_write (s=<optimized out>) at ../hw/scsi/mptsas.c:968 -#5 0x0000564391a43963 in mptsas_mmio_write (opaque=0x5643943dd5b0, addr=0x30, val=0x18000000, size=<optimized out>) at ../hw/scsi/mptsas.c:1052 -#6 0x0000564391e08798 in memory_region_write_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) - at ../softmmu/memory.c:491 -#7 0x0000564391e0858e in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=<optimized out>, attrs=...) at ../softmmu/memory.c:552 -#8 0x0000564391e0858e in memory_region_dispatch_write (mr=0x5643943ddea0, addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at ../softmmu/memory.c:1501 -#9 0x0000564391eff228 in io_writex (iotlbentry=<optimized out>, mmu_idx=<optimized out>, val=<optimized out>, addr=<optimized out>, retaddr=<optimized out>, op=<optimized out>, env=<optimized out>) - at ../accel/tcg/cputlb.c:1378 -#10 0x0000564391eff228 in store_helper (env=<optimized out>, addr=<optimized out>, val=<optimized out>, oi=<optimized out>, retaddr=<optimized out>, op=MO_32) at ../accel/tcg/cputlb.c:2397 -#11 0x0000564391eff228 in helper_le_stl_mmu (env=<optimized out>, addr=<optimized out>, val=0x2, oi=<optimized out>, retaddr=0x7fc78841b401) at ../accel/tcg/cputlb.c:2463 -#12 0x00007fc78841b401 in code_gen_buffer () -#13 0x0000564391dd0da0 in cpu_tb_exec (cpu=0x56439363e650, itb=<optimized out>) at ../accel/tcg/cpu-exec.c:178 -#14 0x0000564391dd19eb in cpu_loop_exec_tb (tb=<optimized out>, cpu=<optimized out>, last_tb=<optimized out>, tb_exit=<optimized out>) at ../accel/tcg/cpu-exec.c:658 -#15 0x0000564391dd19eb in cpu_exec (cpu=0x56439363e650) at ../accel/tcg/cpu-exec.c:771 -#16 0x0000564391e00b9f in tcg_cpu_exec (cpu=<optimized out>) at ../accel/tcg/tcg-cpus.c:243 -#17 0x0000564391e00b9f in tcg_cpu_thread_fn (arg=0x56439363e650) at ../accel/tcg/tcg-cpus.c:427 -#18 0x00005643920d8775 in qemu_thread_start (args=<optimized out>) at ../util/qemu-thread-posix.c:521 -#19 0x00007fc7efdcd6db in start_thread (arg=0x7fc7d6023700) at pthread_create.c:463 - -To reproduce this issue, please run the QEMU with the following command line. - - -# To enable ASan option, please set configuration with the following command -$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers -$ make - -# To reproduce this issue, please run the QEMU process with the following command line. -$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw -device mptsas1068,id=scsi -device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img - -Please let me know if I can provide any further info. -Thank you. - -- Cheolwoo, Myung (Seoul National University) - - - -This still triggers with the current version from git master, marking as Confirmed - - -This is an automated cleanup. This bug report has been moved to QEMU's -new bug tracker on gitlab.com and thus gets marked as 'expired' now. -Please continue with the discussion here: - - https://gitlab.com/qemu-project/qemu/-/issues/304 - - |