diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:07 +0200 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:17 +0200 |
| commit | 9260319e7411ff8281700a532caa436f40120ec4 (patch) | |
| tree | 2f6bfe5f3458dd49d328d3a9eb508595450adec0 /gitlab/issues/target_riscv/host_missing/accel_missing/1050.toml | |
| parent | 225caa38269323af1bfc2daadff5ec8bd930747f (diff) | |
| download | qemu-analysis-9260319e7411ff8281700a532caa436f40120ec4.tar.gz qemu-analysis-9260319e7411ff8281700a532caa436f40120ec4.zip | |
gitlab scraper: download in toml and text format
Diffstat (limited to 'gitlab/issues/target_riscv/host_missing/accel_missing/1050.toml')
| -rw-r--r-- | gitlab/issues/target_riscv/host_missing/accel_missing/1050.toml | 80 |
1 files changed, 0 insertions, 80 deletions
diff --git a/gitlab/issues/target_riscv/host_missing/accel_missing/1050.toml b/gitlab/issues/target_riscv/host_missing/accel_missing/1050.toml deleted file mode 100644 index 139791001..000000000 --- a/gitlab/issues/target_riscv/host_missing/accel_missing/1050.toml +++ /dev/null @@ -1,80 +0,0 @@ -id = 1050 -title = "[BUG] heap-buffer-overflow in sifive_plic_create" -state = "closed" -created_at = "2022-05-31T09:30:39.047Z" -closed_at = "2022-06-10T12:53:23.950Z" -labels = ["target: riscv"] -url = "https://gitlab.com/qemu-project/qemu/-/issues/1050" -host-os = "n/a" -host-arch = "n/a" -qemu-version = "n/a" -guest-os = "n/a" -guest-arch = "n/a" -description = """I run check-qtest-riscv64 in ubuntu20.04, and got a heap-buffer-overflow report with address sanitizer -HEAD: 7077fcb9b68f058809c9dd9fd1dacae1881e886c""" -reproduce = """run -`G_TEST_DBUS_DAEMON=/root/o/sources/qemu/tests/dbus-vmstate-daemon.sh QTEST_QEMU_IMG=./qemu-img MALLOC_PERTURB_=58 QTEST_QEMU_STORAGE_DAEMON_BINARY=./storage-daemon/qemu-storage-daemon QTEST_QEMU_BINARY=./qemu-system-riscv64 /root/o/sources/qemu/build/tests/qtest/test-hmp --tap -k`""" -additional = """I think is because on some conditions when after `j++(hw/intc/sifive_plic.c:458)`, it accesses `plic->addr_config[j](hw/intc/sifive_plic.c:463)` and results in heap-overflow. -I tried to modify `hw/intc/sifive_plic.c:463` to else-if, then the report gone. -Could you please have a check. -``` -==63425==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000031624 at pc 0x561afe157d54 bp 0x7ffcd8aef510 sp 0x7ffcd8aef500 -READ of size 4 at 0x602000031624 thread T0 - #0 0x561afe157d53 in sifive_plic_create ../hw/intc/sifive_plic.c:463 - #1 0x561afdc0ac7f in sifive_e_soc_realize ../hw/riscv/sifive_e.c:207 - #2 0x561afe6698fb in device_set_realized ../hw/core/qdev.c:531 - #3 0x561afe679b90 in property_set_bool ../qom/object.c:2273 - #4 0x561afe681c7f in object_property_set ../qom/object.c:1408 - #5 0x561afe68b763 in object_property_set_qobject ../qom/qom-qobject.c:28 - #6 0x561afe682535 in object_property_set_bool ../qom/object.c:1477 - #7 0x561afdc0a601 in sifive_e_machine_init ../hw/riscv/sifive_e.c:91 - #8 0x561afd34d608 in machine_run_board_init ../hw/core/machine.c:1427 - #9 0x561afda49697 in qemu_init_board ../softmmu/vl.c:2610 - #10 0x561afda49697 in qmp_x_exit_preconfig ../softmmu/vl.c:2706 - #11 0x561afda49697 in qmp_x_exit_preconfig ../softmmu/vl.c:2699 - #12 0x561afda504ee in qemu_init ../softmmu/vl.c:3737 - #13 0x561afd1cf4ae in qemu_main ../softmmu/main.c:35 - #14 0x561afd1cf4ae in main ../softmmu/main.c:45 - #15 0x7f9d13bf3082 in __libc_start_main ../csu/libc-start.c:308 - #16 0x561afd1de78d in _start (/root/o/sources/qemu/build/qemu-system-riscv64+0x271378d) - -0x602000031624 is located 8 bytes to the right of 12-byte region [0x602000031610,0x60200003161c) -allocated by thread T0 here: - #0 0x7f9d15026808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 - #1 0x7f9d14a84e98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98) - -SUMMARY: AddressSanitizer: heap-buffer-overflow ../hw/intc/sifive_plic.c:463 in sifive_plic_create -Shadow bytes around the buggy address: - 0x0c047fffe270: fa fa 05 fa fa fa 07 fa fa fa 00 01 fa fa 07 fa - 0x0c047fffe280: fa fa 05 fa fa fa 07 fa fa fa fd fa fa fa 02 fa - 0x0c047fffe290: fa fa 00 01 fa fa fd fd fa fa fd fa fa fa fd fd - 0x0c047fffe2a0: fa fa 00 02 fa fa 00 02 fa fa 05 fa fa fa 07 fa - 0x0c047fffe2b0: fa fa 00 01 fa fa 07 fa fa fa 05 fa fa fa 07 fa -=>0x0c047fffe2c0: fa fa 00 04[fa]fa 04 fa fa fa 00 00 fa fa 00 00 - 0x0c047fffe2d0: fa fa 00 00 fa fa fd fd fa fa 00 03 fa fa fd fd - 0x0c047fffe2e0: fa fa 00 03 fa fa fd fd fa fa 00 03 fa fa fd fd - 0x0c047fffe2f0: fa fa 00 03 fa fa fd fd fa fa 00 03 fa fa fd fd - 0x0c047fffe300: fa fa 00 03 fa fa fd fd fa fa 00 03 fa fa fd fa - 0x0c047fffe310: fa fa fd fd fa fa 00 03 fa fa fd fd fa fa 00 03 -Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb - Shadow gap: cc -==63425==ABORTING -```""" |