summary refs log tree commit diff stats
path: root/results/classifier/zero-shot/108/other/1910826
blob: 1da5d03dd15f46b5750b50e99a7a90d1fe0d2d38 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

other: 0.894
device: 0.821
graphic: 0.780
KVM: 0.763
performance: 0.761
permissions: 0.736
vnc: 0.708
semantic: 0.692
debug: 0.665
boot: 0.654
files: 0.632
network: 0.630
PID: 0.572
socket: 0.519

[OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one

=== Reproducer ===
cat << EOF | ../build/qemu-system-i386 -machine q35 \
-nodefaults  -device rtl8139,netdev=net0 \
-netdev user,id=net0 -display none -qtest stdio
outl 0xcf8 0x80000804
outb 0xcfc 0x26
outl 0xcf8 0x80000817
outb 0xcfc 0xff
write 0x1 0x1 0x42
write 0x5 0x1 0x42
write 0x9 0x1 0x42
write 0xd 0x1 0x42
write 0xff000044 0x4 0x11
write 0xff000037 0x1 0x1c
writel 0xff000030 0xff000000
write 0xff000040 0x4 0x100006
write 0xff000010 0x4 0x01020
EOF

=== Stack Trace ===
==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0)
#0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815
#1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#9 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#10 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
#19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5
#20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#28 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#29 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
Repeat until we run out of stack

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224

A more concise version and corresponding notes. Might help :)

-- [ Reproducer

cat << EOF | ../build/qemu-system-i386 -machine q35 \
-nodefaults  -device rtl8139,netdev=net0 \
-netdev user,id=net0 -display none -qtest stdio
outl 0xcf8 0x80000804
outb 0xcfc 0x06
outl 0xcf8 0x80000817
outb 0xcfc 0xff
write 0xff000037 0x1 0x0c
writel 0xff000030 0xff000010
write 0xff000040 0x4 0x100006
write 0xff000044 0x4 0x01
write 0xff000010 0x4 0x01
EOF

-- [ Notes

/* Make the MMIO region start from 0xff000000 */
outl 0xcf8 0x80000817
outb 0xcfc 0xff

/*Command Register: enable receiver and transmitter*/
write 0xff000037 0x1 0x0c

/* set Receive (Rx) Buffer Start Address at 0xff000010 */
/* Note: 0xff000010 - 0xff000000 = 0x10 is the offset of TSD0*/
writel 0xff000030 0xff000010

/* TXRR, Tx Retry Count = 1 */
/* set transmit mode into the loopback */
write 0xff000040 0x4 0x100006

/* Receive Configuration Register: Accept All Packets */
write 0xff000044 0x4 0x01

/* TSD0: set Descriptor Size to 1 and trigger a tranfer*/
write 0xff000010 0x4 0x01


OSS-Fuzz says this issue has been fixed.

https://gitlab.com/qemu-project/qemu/-/commit/5311fb805a4403bba