summaryrefslogtreecommitdiffstats
path: root/results/classifier/gemma3:12b/device/1393
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--results/classifier/gemma3:12b/device/139366
-rw-r--r--results/classifier/gemma3:12b/device/139344018
-rw-r--r--results/classifier/gemma3:12b/device/139348616
3 files changed, 100 insertions, 0 deletions
diff --git a/results/classifier/gemma3:12b/device/1393 b/results/classifier/gemma3:12b/device/1393
new file mode 100644
index 00000000..85cd7cb3
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/1393
@@ -0,0 +1,66 @@
+
+Abort in audio_calloc() of ac97
+Description of problem:
+Section 5.10.2 of the AC97 specification (https://hands.com/~lkcl/ac97_r23.pdf)
+shows the feasibility to support for rates other than 48kHZ. Specifically,
+AC97_PCM_Front_DAC_Rate (reg 2Ch) should be from 8kHZ to 48kHZ.
+
+
+An adversary can leverage this to crash QEMU.
+
+A nornal 48kHZ setting is like this.
+
+```
+ac97_realize
+ open_voice
+ as->freq = 0xbb80 # 0xbb80=48000
+ AUD_open_out
+ audio_pcm_create_voice_pair_out (sw is NULL)
+ audio_pcm_sw_init_out
+ sw->info.freq = as->freq (in audio_pcm_init_info())
+ sw->ratio = ((int64_t) sw->hw->info.freq << 32) / sw->info.freq
+ samples = ((int64_t) sw->HWBUF->size << 32) / sw->ratio (in audio_pcm_sw_alloc_resources_out())
+```
+
+A non-48kHZ setting is like this. Since `as->freq` is too small, `sw->ratio` is
+too large. Finally, `samples` is zero, failing the audio_calloc() in
+audio_pcm_sw_alloc_resources_out().
+
+```
+nam_writew
+ open_voice
+ as->freq = 0x6
+ AUD_open_out
+ audio_pcm_sw_init_out (sw is not NULL)
+ sw->info.freq = as->freq (in audio_pcm_init_info())
+ sw->ratio = ((int64_t) sw->hw->info.freq << 32) / sw->info.freq
+ samples = ((int64_t) sw->HWBUF->size << 32) / sw->ratio (in audio_pcm_sw_alloc_resources_out())
+ audio_calloc(.., samples, ) (in audio_pcm_sw_alloc_resources_out())
+```
+Steps to reproduce:
+1. download the prepared rootfs and the image.
+
+ https://drive.google.com/file/d/1IfVCvn76HY-Eb4AZU7yvuyPzM3QC1q10/view?usp=sharing
+ https://drive.google.com/file/d/1JN6JgvOSI5aSLIdTEFKiskKbrGWFo0BO/view?usp=sharing
+
+2. run the following script.
+
+``` bash
+QEMU_PATH=../../../qemu-devel/build/x86_64-softmmu/qemu-system-x86_64
+KERNEL_PATH=./bzImage
+ROOTFS_PATH=./rootfs.ext2
+$QEMU_PATH \
+ -M q35 -m 1G \
+ -kernel $KERNEL_PATH \
+ -drive file=$ROOTFS_PATH,if=virtio,format=raw \
+ -append "root=/dev/vda console=ttyS0" \
+ -net nic,model=virtio -net user \
+ -device ac97,audiodev=snd0 -audiodev none,id=snd0 \
+ -nographic
+```
+
+3. with spawned shell (the user is root and the password is empty), run
+`ac97-00`.
+Additional information:
+In the latest QEMU, this issue was generally fixed by 12f4abf6a245c43d8411577fd400373c85f08c6b and 0cbc8bd4694f32687bf47c6da48efa48fac35fd2 that remove abort() from the source code. Even though, I still plan to send a
+patch so that the warning about the invalid freq will be gone.
diff --git a/results/classifier/gemma3:12b/device/1393440 b/results/classifier/gemma3:12b/device/1393440
new file mode 100644
index 00000000..c642e0cc
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/1393440
@@ -0,0 +1,18 @@
+
+pcie.c:148: possible error in OR expression ?
+
+[qemu/hw/pci/pcie.c:148] -> [qemu/hw/pci/pcie.c:148]: (style) Same expression on both sides of '|'.
+
+ pci_long_test_and_set_mask(dev->w1cmask + pos + PCI_EXP_DEVSTA,
+ PCI_EXP_DEVSTA_CED | PCI_EXP_DEVSTA_NFED |
+ PCI_EXP_DEVSTA_URD | PCI_EXP_DEVSTA_URD);
+
+I am guessing that something like
+
+ pci_long_test_and_set_mask(dev->w1cmask + pos + PCI_EXP_DEVSTA,
+ PCI_EXP_DEVSTA_CED | PCI_EXP_DEVSTA_NFED |
+ PCI_EXP_DEVSTA_FED | PCI_EXP_DEVSTA_URD);
+
+was intended.
+
+I used static analyser cppcheck to find this bug. \ No newline at end of file
diff --git a/results/classifier/gemma3:12b/device/1393486 b/results/classifier/gemma3:12b/device/1393486
new file mode 100644
index 00000000..fc2f03af
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/1393486
@@ -0,0 +1,16 @@
+
+hw/virtio/virtio-rng.c:150: bad test ?
+
+hw/virtio/virtio-rng.c:150:31: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses]
+
+ if (!vrng->conf.period_ms > 0) {
+ error_setg(errp, "'period' parameter expects a positive integer");
+ return;
+ }
+
+Maybe better code
+
+ if (vrng->conf.period_ms <= 0) {
+ error_setg(errp, "'period' parameter expects a positive integer");
+ return;
+ } \ No newline at end of file