diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:07 +0200 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:17 +0200 |
| commit | 9260319e7411ff8281700a532caa436f40120ec4 (patch) | |
| tree | 2f6bfe5f3458dd49d328d3a9eb508595450adec0 /gitlab/issues/target_missing/host_missing/accel_missing/2742.toml | |
| parent | 225caa38269323af1bfc2daadff5ec8bd930747f (diff) | |
| download | qemu-analysis-9260319e7411ff8281700a532caa436f40120ec4.tar.gz qemu-analysis-9260319e7411ff8281700a532caa436f40120ec4.zip | |
gitlab scraper: download in toml and text format
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_missing/2742.toml')
| -rw-r--r-- | gitlab/issues/target_missing/host_missing/accel_missing/2742.toml | 74 |
1 files changed, 0 insertions, 74 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/2742.toml b/gitlab/issues/target_missing/host_missing/accel_missing/2742.toml deleted file mode 100644 index fd41e975c..000000000 --- a/gitlab/issues/target_missing/host_missing/accel_missing/2742.toml +++ /dev/null @@ -1,74 +0,0 @@ -id = 2742 -title = "heap-buffer-overflow in smc91c111_do_tx()" -state = "closed" -created_at = "2024-12-23T06:20:28.277Z" -closed_at = "2025-03-13T07:03:14.247Z" -labels = ["Fuzzer", "Networking", "workflow::Patch available"] -url = "https://gitlab.com/qemu-project/qemu/-/issues/2742" -host-os = "Ubuntu" -host-arch = "x86_64" -qemu-version = "commit aa3a285b5" -guest-os = "n/a" -guest-arch = "ARM" -description = """A buffer-overflow bug was triggered by my fuzzer at smc91c111_do_tx(). - -I've patched hw/net/smc91c111.c with: - -``` -diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c -index 702d0e8e83..286298bf06 100644 ---- a/hw/net/smc91c111.c -+++ b/hw/net/smc91c111.c -@@ -429,7 +429,7 @@ static void smc91c111_writeb(void *opaque, hwaddr offset, - /* Ignore. */ - return; - case 2: /* Packet Number Register */ -- s->packet_num = value; -+ s->packet_num = value & (NUM_PACKETS - 1); - return; - case 3: case 4: case 5: - /* Should be readonly, but linux writes to them anyway. Ignore. */ -``` - -The error is: - -``` -==2724739==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000022941 at pc 0x595ebbed687b bp 0x7fffa0098a50 sp 0x7fffa0098a48 -READ of size 1 at 0x629000022941 thread T0 - #0 0x595ebbed687a in smc91c111_do_tx hw/net/smc91c111.c:240:19 - #1 0x595ebbed687a in smc91c111_queue_tx hw/net/smc91c111.c:284:5 - #2 0x595ebbed687a in smc91c111_writeb hw/net/smc91c111.c:419:17 - #3 0x595ebbed687a in smc91c111_writefn hw/net/smc91c111.c:666:9 - #4 0x595ebd174d33 in memory_region_write_accessor system/memory.c:497:5 - #5 0x595ebd1744aa in access_with_adjusted_size system/memory.c:573:18 - #6 0x595ebd1738d8 in memory_region_dispatch_write system/memory.c - #7 0x595ebd1cc984 in flatview_write_continue_step system/physmem.c:2786:18 - #8 0x595ebd1b9880 in flatview_write_continue system/physmem.c:2816:19 - #9 0x595ebd1b9880 in flatview_write system/physmem.c:2847:12 - #10 0x595ebd1b9517 in address_space_write system/physmem.c:2967:18 - #11 0x595ebc77d5c3 in qtest_process_command system/qtest.c:522:13 - #12 0x595ebc77b83b in qtest_process_inbuf system/qtest.c:776:9 - ... -```""" -reproduce = """``` -export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine realview-eb" -cat << EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio -clock_step -clock_step -writel 0x4e000000 0x2b1e08f5 -writew 0x4e000000 0x2b1e08f5 -writel 0x4e00000c 0x66027d24 -clock_step -readb 0x4e000000 -writel 0x4e000008 0x238e1f29 -writew 0x4e000000 0x41d9fe3b -writel 0x4e00000c 0x27022a2d -clock_step -readw 0x4e000004 -clock_step -readb 0x4e000008 -clock_step -writew 0x4e000000 0x620c5fdf -EOF -```""" -additional = """""" |