summary refs log tree commit diff stats
path: root/results/classifier/gemma3:12b/device/78
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--results/classifier/gemma3:12b/device/782
-rw-r--r--results/classifier/gemma3:12b/device/7812
-rw-r--r--results/classifier/gemma3:12b/device/7826
-rw-r--r--results/classifier/gemma3:12b/device/78618
-rw-r--r--results/classifier/gemma3:12b/device/78620810
-rw-r--r--results/classifier/gemma3:12b/device/7862098
-rw-r--r--results/classifier/gemma3:12b/device/78713
7 files changed, 59 insertions, 0 deletions
diff --git a/results/classifier/gemma3:12b/device/78 b/results/classifier/gemma3:12b/device/78
new file mode 100644
index 00000000..c126a0d2
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/78
@@ -0,0 +1,2 @@
+
+msmouse serial mouse emulation broken? No id byte sent on reset
diff --git a/results/classifier/gemma3:12b/device/781 b/results/classifier/gemma3:12b/device/781
new file mode 100644
index 00000000..4432c671
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/781
@@ -0,0 +1,2 @@
+
+Assertion `addr < cache->len && 2 <= cache->len - addr' failed in address_space_stw_le_cached
diff --git a/results/classifier/gemma3:12b/device/782 b/results/classifier/gemma3:12b/device/782
new file mode 100644
index 00000000..a2669b18
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/782
@@ -0,0 +1,6 @@
+
+nvme: DMA reentrancy issue leads to use-after-free (CVE-2021-3929)
+Description of problem:
+A DMA reentrancy issue was found in the NVM Express Controller (NVMe) emulation. Functions dma_buf_write() or dma_buf_read() in hw/nvme/ctrl.c:nvme_tx() can be called without checking if the destination region overlaps with device's MMIO. This is similar to CVE-2021-3750 (https://gitlab.com/qemu-project/qemu/-/issues/541) and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
+
+This issue was reported by Qiuhao Li.
diff --git a/results/classifier/gemma3:12b/device/786 b/results/classifier/gemma3:12b/device/786
new file mode 100644
index 00000000..f0d97e0f
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/786
@@ -0,0 +1,18 @@
+
+assert in qemu-6.2.0/hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen)
+Description of problem:
+assert and crash when -acpitable argument is used. Specifically, the argument was "-acpitable file=my_file.bin" which causes the assert and crash. 
+
+The other arguments, I hope, are not critical. In brief, I'm using secure boot (with ovmf_code.secboot.fd), and a sw tpm as well. But hopefully these are not relevant.
+
+The assert with -acpitable is a regression since it worked with version 6.1.0
+
+The actual error message in qemu 6.2.0 is
+
+qemu-6.2.0/hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen)
+Steps to reproduce:
+1.
+2.
+3.
+Additional information:
+
diff --git a/results/classifier/gemma3:12b/device/786208 b/results/classifier/gemma3:12b/device/786208
new file mode 100644
index 00000000..c9f96e5e
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/786208
@@ -0,0 +1,10 @@
+
+Missing checks for non-existent device in ide_exec_cmd
+
+Several calls in the ide_exec_cmd handler are missing checks for (!s->bs) or similar, resulting in NULL pointer dereferences, divide-by-zero, or possibly other badness if the guest performs operations on a non-existent IDE master.
+
+For example, the WIN_READ_NATIVE_MAX command does a 'ide_set_sector(s, s->nb_sectors - 1);', which does 'cyl = sector_num / (s->heads * s->sectors);', which will fail with a divide-by-zero if heads = sectors = 0.
+
+And WIN_MULTREAD also does not check for s->bs, but does a 'ide_sector_read(s);', which will do 'bdrv_read(s->bs, sector_num, s->io_buffer, n);' on a NULL s->bs, leading to a segfault.
+
+I do not *believe* that a malicious guest can do anything more than cause a crash with these bugs.
\ No newline at end of file
diff --git a/results/classifier/gemma3:12b/device/786209 b/results/classifier/gemma3:12b/device/786209
new file mode 100644
index 00000000..05ee4967
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/786209
@@ -0,0 +1,8 @@
+
+Information leak in IDE core
+
+When the DRQ_STAT bit is set, the IDE core permits both data reads and data writes, regardless of whether the current transfer was initiated as a read or write.
+
+Furthermore, the IO buffer is allocated via a qemu_memalign but not initialized or cleared at device creation.
+
+This potentially leaks uninitialized host memory into the guest, if, before doing anything else to an IDE device, the guest begins a write transaction (e.g. WIN_WRITE), but then *reads* from the IO port instead of writing to it. The IDE core will happily return the uninitialized contents of the buffer to the guest, potentially leaking offsets that could be used as part of an attack to get around ASLR.
\ No newline at end of file
diff --git a/results/classifier/gemma3:12b/device/787 b/results/classifier/gemma3:12b/device/787
new file mode 100644
index 00000000..5b284229
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/787
@@ -0,0 +1,13 @@
+
+6.2.0 Regression with Intel GVT-g
+Description of problem:
+Until version 6.1.0 the Intel GVT-g graphics passtrought was working flawless. But, since the version 6.2.0 the machine with the exact same configuration is not working anymore, presenting an error that the graphics device was not found.
+
+```
+qemu-system-x86_64: -set device.hostdev0.x-igd-opregion=on: there is no device "hostdev0" defined
+```
+
+Downgrade to 6.1.0 fixes the problem.
+Steps to reproduce:
+1. Create a virtual machine with GVT-g
+2. Try to run the machine.