device: 0.761
boot: 0.693
graphic: 0.667
network: 0.537
socket: 0.478
files: 0.465
vnc: 0.441
semantic: 0.369
PID: 0.344
permissions: 0.277
performance: 0.241
other: 0.217
debug: 0.149
KVM: 0.076

qemu-2.12.1 crashes when running malicious bootloader.

Running specific bootloader on Qemu causes fatal error and 
hence SIGABRT in /qemu-2.12.1/tcg/tcg.c on line 2684.

Bootloader binary code is included in attachments.
The code was generated by assembling a valid bootloader, then
appending random-bytes from file `/dev/urandom` to the binary file.



This is a bug, obviously, but note that we do not guarantee TCG binary translation to be a security boundary against malicious code. Don't run guest code you don't trust inside TCG without further sandboxing around QEMU. (Much of the code that runs in a TCG configuration is old and unaudited, so there may be lurking bugs. Configurations using KVM are the only ones where we treat guest escapes as security bugs.)


I think this bug was fixed in QEMU 3.1 -- I can reproduce the assert on 3.0 but not on 3.1.