8 files changed, 314 insertions, 0 deletions

diff --git a/results/classifier/user-mode-bugs/1079080 b/results/classifier/user-mode-bugs/1079080
new file mode 100644
index 00000000..07054d7c
--- /dev/null
+++ b/results/classifier/user-mode-bugs/1079080
@@ -0,0 +1,12 @@
+
+ARM instruction "srs" wrong behaviour
+
+Quote from ARM Architecture Reference Manual ARMv7-A and ARMv7-R :
+"Store Return State stores the LR and SPSR of the current mode to the stack of a specified mode"
+
+Problem:
+When executing this instruction, the register stored is CPSR instead of SPSR.
+
+Context:
+Using QEMU 1.2.0 to simulate a Zynq application (processor Cortex-a9 mpcore) with the following command line:
+qemu-system-arm -M xilinx-zynq-a9 -m 512 -serial null -serial mon:stdio -dtb /home/vcesson/workspace/xilinx_zynq.dtb -kernel install/tests/io/serial/current/tests/serial2 -S -s -nographic
\ No newline at end of file
diff --git a/results/classifier/user-mode-bugs/1156313 b/results/classifier/user-mode-bugs/1156313
new file mode 100644
index 00000000..54d2d0f9
--- /dev/null
+++ b/results/classifier/user-mode-bugs/1156313
@@ -0,0 +1,128 @@
+semantic: 0.869
+mistranslation: 0.841
+assembly: 0.789
+device: 0.777
+instruction: 0.707
+other: 0.705
+vnc: 0.702
+graphic: 0.657
+socket: 0.605
+boot: 0.576
+network: 0.533
+KVM: 0.518
+
+X86-64 flags handling broken
+
+The current qemu sources cause improper handling of flags on x86-64.
+This bug seems to have shown up a few weeks ago.
+
+A plain install of Debian GNU/Linux makes user processes catch
+spurious signals.  The kernel seems to run stably, though.
+
+The ADX feature works very poorly.  It might be related; at least it
+allows for reproducibly provoking invalid behaviour.
+
+Here is a test case:
+
+================================================================
+qemumain.c
+#include <stdio.h>
+long adx();
+int
+main ()
+{
+  printf ("%lx\n", adx (0xffbeef, 17));
+  return 0;
+}
+================================================================
+qemuadx.s:
+        .globl  adx
+adx:    xor     %rax, %rax
+1:      dec     %rdi
+        jnz     1b
+        .byte 0xf3, 0x48, 0x0f, 0x38, 0xf6, 0xc0        # adox  %rax, %rax
+        .byte 0x66, 0x48, 0x0f, 0x38, 0xf6, 0xc0        # adcx  %rax, %rax
+        ret
+================================================================
+
+Compile and execute:
+$ gcc -m64 qemumain.c qemuadx.s
+$ a.out
+ffffff8000378cd8
+
+Expected output is simply "0".  The garbage value varies between qemu
+compiles and guest systems.
+
+Note that one needs a recent GNU assembler in order to handle adox and
+adcx.  For convenience I have supplied them as byte sequences.
+
+Exaplanation and feeble analysis:
+
+The 0xffbeef argument is a loop count.  It is necessary to loop for a
+while in order to trigger this bug.  If the loop count is decreased,
+the bug will seen intermittently; the lower the count, the less
+frequent the invalid behaviour.
+
+It seems like a reasonable assumption that this bug is related to
+flags handling at context switch.  Presumably, qemu keeps flags state
+in some internal format, then recomputes then when needing to form the
+eflags register, as needed for example for context switching.
+
+I haven't tried to reproduce this bug using qemu-x86_64 and SYSROOT,
+but I strongly suspect that to be impossible.  I use
+qemu-system-x86_64 and the guest Debian GNU/Linux x86_64 (version
+6.0.6) .
+
+The bug happens also with the guest FreeBSD x86_64 version 9.1.  (The
+iteration count for triggering the problem 50% of the runs is not the
+same when using the kernel Linux and FreeBSD's kernel, presumably due
+to different ticks.)
+
+The bug happens much more frequently for a loaded system; in fact, the
+loop count can be radically decreased if two instances of the trigger
+program are run in parallel.
+
+Richard Henderson <email address hidden> writes:
+
+  Patch at http://patchwork.ozlabs.org/patch/229139/
+  
+Thanks.  I can confirm that this fixes the bug triggered by my test case
+(and yours).  However, the instability of Debian GNU/Linux x86_64 has
+not improved.
+
+The exact same Debian version (debian "testing") updated at the same
+time runs well on hardware.
+
+My qemu Debian system now got messed up, since I attempted an upgrade in
+the buggy qemu, which segfaulted several times during the upgrade.  I
+need to reinstall, and then rely on -snapshot.
+
+There is a problem with denorms which is reproducible, but whether that
+is a qemu bug, and whether it can actually cause the observed
+instability, is questionable.  Here is a testcase for that problem:
+
+
+
+
+It should terminate.  The observed buggy behaviour is that it hangs.
+
+The instability problem can be observed at gmplib.org/devel/tm-date.html.
+hwl-deb.gmplib.org is Debian under qemu with -cpu Haswell,+adx.
+
+Not that the exact same qemu runs FreeBSD flawlessly (hwl.gmplib.org).
+It is neither instable nor does it run the denorms testcase poorly.
+
+I fully realise this is a hopeless bug report, but I am sure you can
+reproduce it, since it is far from GMP specific.  After all apt-get
+update; apt-get upgrade triggered it.  Debugging it will be a nightmare.
+
+Qemu version: main git repo from less than a week ago + Richard ADX
+patch.
+
+-- 
+Torbjörn
+
+
+It looks from this bug that we fixed the initial ADOX bug in commit c53de1a2896cc (2013), and I've just tried the 'qemu-denorm-problem.s' test case from comment #1 and it works OK, so I think we've fixed that denormals bug too. Given that, and that this bug report is 4 years old, I'm going to close it. If you're still having problems with recent versions of QEMU, please open a new bug.
+
+
diff --git a/results/classifier/user-mode-bugs/1377 b/results/classifier/user-mode-bugs/1377
new file mode 100644
index 00000000..441707f1
--- /dev/null
+++ b/results/classifier/user-mode-bugs/1377
@@ -0,0 +1,15 @@
+
+x86 CVT* series instructions fault
+Description of problem:
+For example, CVTSD2SS instruction converts SRC[63:0] double precision floating point to DEST[31:0] single precision floating point. Although the CVTSD2SS instruction uses only 8 bytes, if it overlaps page boundary, I think QEMU tries to access over the valid memory and crashes.
+Steps to reproduce:
+1. Compile this code
+```
+void main() {
+    mmap(0x555555559000, 0x1000, flag, ~~, 0);
+    asm("cvtsd2ss xmm1, qword ptr [0x555555559ff8]");
+}
+```
+2. Execute. QEMU crashes but CPU does not.
+Additional information:
+This bug is discovered by research conducted by KAIST SoftSec.
diff --git a/results/classifier/user-mode-bugs/1751494 b/results/classifier/user-mode-bugs/1751494
new file mode 100644
index 00000000..2e2e48a4
--- /dev/null
+++ b/results/classifier/user-mode-bugs/1751494
@@ -0,0 +1,38 @@
+instruction: 0.878
+graphic: 0.676
+assembly: 0.586
+device: 0.585
+semantic: 0.580
+mistranslation: 0.510
+other: 0.502
+socket: 0.335
+network: 0.320
+vnc: 0.279
+boot: 0.154
+KVM: 0.051
+
+tcg-target.inc.c:3495:no such instruction: `xgetbv'
+
+While building QEMU on Mac OS 10.6.8 I saw this error message:
+tag-target.inc.c:3495:no such instruction: `xgetbv'
+In the file tcg/i386/tcg-target.inc.c at line 3495 is where the issue is located. This is the problem code:
+asm ("xgetbv" : "=a" (xcrl), "=d" (xcrh) : "c" (0));
+
+https://github.com/asmjit/asmjit/issues/78
+According to the above link, another project also experienced this problem on Mac OS X. The fix was to replace the name of the instruction with the encoded form '.byte 0x0F, 0x01, 0xd0'. 
+
+Host info:
+Mac OS 10.6.8
+GCC 5.2.0
+
+Additional information:
+This may be a gcc issue. I have compiled QEMU on Mac OS 10.12 and didn't experience any issues. The compiler used was Apple's clang.
+
+The exact commit that causes this problem is this:
+
+commit 770c2fc7bb70804ae9869995fd02dadd6d7656ac
+tcg/i386: Add vector operations
+
+This has been fixed here:
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1019242af11400252
+
diff --git a/results/classifier/user-mode-bugs/1809546 b/results/classifier/user-mode-bugs/1809546
new file mode 100644
index 00000000..f02d9255
--- /dev/null
+++ b/results/classifier/user-mode-bugs/1809546
@@ -0,0 +1,45 @@
+
+Writing a byte to a pl011 SFR overwrites the whole SFR
+
+The bug is present in QEMU 2.8.1 and, if my analysis is correct, also on master.
+
+I first noticed that a PL011 UART driver, which is fine on real hardware, fails to enable the RX interrupt in the IMSC register when running in QEMU. However, the problem only comes up if the code is compiled without optimizations. I think I've narrowed it down to a minimal example that will exhibit the problem if run as a bare-metal application.
+
+Given:
+
+pl011_addr: .word 0x10009000
+
+The following snippet will be problematic:
+
+     ldr r3, pl011_addr
+     ldrb r2, [r3, #0x38]        // IMSC
+     mov r2, #0
+     orr r2, r2, #0x10           // R2 == 0x10
+     strb r2, [r3, #0x38]        // Whole word reads correctly after this
+     ldrb r2, [r3, #0x39]
+     mov r2, #0
+     strb r2, [r3, #0x39]        // Problem here! Overwrites offset 0x38 as well
+
+After the first strb instruction, which writes to 0x10009038, everything is fine. It can be seen in the QEMU monitor:
+
+(qemu) xp 0x10009038
+0000000010009038: 0x00000010
+
+After the second strb instruction, the write to 0x10009039 clears the entire word:
+
+(qemu) xp 0x10009038
+0000000010009038: 0x00000000
+
+QEMU command-line, using the vexpress-a9 which has the PL011 at 0x10009000:
+
+qemu-system-arm -S -M vexpress-a9 -m 32M -no-reboot -nographic -monitor telnet:127.0.0.1:1234,server,nowait -kernel pl011-sfr.bin -gdb tcp::2159 -serial mon:stdio
+
+Compiling the original C code with optimizations makes the driver work. It compiles down to assembly that only does a single write:
+
+    ldr r3, pl011_addr
+    mov r2, #0x10
+    str r2, [r3, #0x38]
+
+Attached is the an assembly file, and linkscript, that shows the problem, and also includes the working code.
+
+I haven't debugged inside of QEMU itself but it seems to me that the problem is in pl011_write in pl011.c - the functions looks at which offset is being written, and then writes the entire SFR that offset falls under, which means that changing a single byte will change the whole SFR.
\ No newline at end of file
diff --git a/results/classifier/user-mode-bugs/1824778 b/results/classifier/user-mode-bugs/1824778
new file mode 100644
index 00000000..aa50d5d8
--- /dev/null
+++ b/results/classifier/user-mode-bugs/1824778
@@ -0,0 +1,9 @@
+
+PowerPC64: tlbivax does not work for addresses above 4G
+
+The tlbivax instruction in QEMU does not work for address above 4G. The reason behind this is a simple 32bit trunction of an address.
+Changing the argument ea from uint32_t to target_ulong for the function booke206_invalidate_ea_tlb() in target/ppc/mmu_helper.c solves the issue.
+
+I did not reproduce this using Linux so I have no public example for reproducing it. However it's a pretty straight forward change.
+
+Issue can be seen in all version of QEMU.
\ No newline at end of file
diff --git a/results/classifier/user-mode-bugs/1898954 b/results/classifier/user-mode-bugs/1898954
new file mode 100644
index 00000000..b95dfb21
--- /dev/null
+++ b/results/classifier/user-mode-bugs/1898954
@@ -0,0 +1,28 @@
+
+x86 f1 opcode hangs qemu
+
+I have qemu installed and running in linux and windows
+in linux i execute the following simple code in real mode of cpu in my vm
+90 nop
+90 nop
+90 nop
+f1         ;this should conjure up my interrupt handler from ivt int 1
+--------- end of code ----
+it works properly in vbox,qemu linux,and even in my boot loder
+on a real platform
+   it doeas not work fine in windows 10 (32 bit efi) based qemu
+---
+all of the below was retyped there may be typo
+so onwards to the flawed software 
+********** for qemu-system-x86_64.exe **********
+info version 
+4.2.0v4.2.0.11797-g2890edc853-dirty
+********** for qemu-system-i386.exe **********
+info version 
+4.2.0v4.2.0.11797-g2890edc853-dirty
+***********************************************
+my startup code is
+"d:\programs\qemu\qemu-system-x86_64.exe" -m 16M -boot a -fda "d:\floppy.img" -cpu Nehalem -machine pc
+---
+also same flaw if i change above section to
+"d:\programs\qemu\qemu-system-i386.exe"
\ No newline at end of file
diff --git a/results/classifier/user-mode-bugs/1955 b/results/classifier/user-mode-bugs/1955
new file mode 100644
index 00000000..17cd3a9d
--- /dev/null
+++ b/results/classifier/user-mode-bugs/1955
@@ -0,0 +1,39 @@
+instruction: 0.950
+graphic: 0.840
+semantic: 0.801
+device: 0.645
+other: 0.493
+socket: 0.420
+network: 0.394
+mistranslation: 0.346
+boot: 0.280
+vnc: 0.269
+assembly: 0.183
+KVM: 0.107
+
+powerpc instruction 'mffsl' not emulated on POWER8
+Description of problem:
+Since 2019, the function feenableexcept() in GNU libc makes use of the "mffsl" instruction.
+See https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/powerpc/fpu/feenablxcpt.c;h=b111ceaa4e2e1864fcbe043ccda34e03e9f14062;hb=HEAD#l28
+and https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/powerpc/fpu/fenv_libc.h;h=a2a12d914b47e99746003482b349a0675cc5ad34;hb=HEAD#l57
+
+In the emulated Debian system, executables that make use of this instruction crash with SIGILL.
+Likewise, under gdb (in the emulated system), there is a SIGILL at the 'mffsl' instruction.
+
+From the comments in the above glibc source, added by Paul A. Clarke <pc@us.ibm.com>:
+  "Nicely, it turns out that the 'mffsl' instruction will decode to
+   'mffs' on architectures older than "power9" because the additional
+   bits set for 'mffsl' are "don't care" for 'mffs'.  'mffs' is a superset
+   of 'mffsl'."
+
+This is indeed what I observe by compiling and running the attached program foo.c on a hardware machine with a POWER8 CPU: That program does not crash with a SIGILL.
+Steps to reproduce:
+1. Either run the attached 'test-fenv-except-tracking-5.ppc' (32-bit) program under qemu-system-ppc.
+2. Or run the the attached 'test-fenv-except-tracking-5.ppc64' (64-bit) program under qemu-system-ppc64 with -cpu POWER8.
+3. Or compile and run the attached foo.c and run it under QEMU.
+Additional information:
+[test-fenv-except-tracking-5.ppc.xz](/uploads/8222ebac115e8a865d5e520b25d423ff/test-fenv-except-tracking-5.ppc.xz)
+
+[test-fenv-except-tracking-5.ppc64.xz](/uploads/d0522723541a46e11ab55b8f45dfb574/test-fenv-except-tracking-5.ppc64.xz)
+
+[foo.c](/uploads/35d8b3b1e5b39ecb6a2a899132858ded/foo.c)