summary refs log tree commit diff stats
path: root/results/classifier/105/KVM/1910941
diff options
context:
space:
mode:
authorChristian Krinitsin <mail@krinitsin.com>2025-06-03 12:04:13 +0000
committerChristian Krinitsin <mail@krinitsin.com>2025-06-03 12:04:13 +0000
commit256709d2eb3fd80d768a99964be5caa61effa2a0 (patch)
tree05b2352fba70923126836a64b6a0de43902e976a /results/classifier/105/KVM/1910941
parent2ab14fa96a6c5484b5e4ba8337551bb8dcc79cc5 (diff)
downloadqemu-analysis-256709d2eb3fd80d768a99964be5caa61effa2a0.tar.gz
qemu-analysis-256709d2eb3fd80d768a99964be5caa61effa2a0.zip
add new classifier result
Diffstat (limited to 'results/classifier/105/KVM/1910941')
-rw-r--r--results/classifier/105/KVM/1910941143


1 files changed, 143 insertions, 0 deletions
diff --git a/results/classifier/105/KVM/1910941 b/results/classifier/105/KVM/1910941
new file mode 100644
index 000000000..08cc0e05d
--- /dev/null
+++ b/results/classifier/105/KVM/1910941
@@ -0,0 +1,143 @@
+KVM: 0.763
+other: 0.722
+vnc: 0.689
+mistranslation: 0.642
+graphic: 0.591
+device: 0.583
+semantic: 0.567
+instruction: 0.563
+network: 0.533
+socket: 0.520
+assembly: 0.513
+boot: 0.483
+
+Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk
+
+Hello,
+
+Using hypervisor fuzzer, hyfuzz, I found an assertion failure through virtio-blk emulator.
+
+A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service.
+
+This was found in version 5.2.0 (master)
+
+```
+
+qemu-system-i386: /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
+[1]    1877 abort (core dumped)  /home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386
+
+Program terminated with signal SIGABRT, Aborted.
+#0  0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
+#1  0x00007f71cc1738b1 in __GI_abort () at abort.c:79
+#2  0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=line@entry=0x58, function=function@entry=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:92
+#3  0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=0x58, function=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:101
+#4  0x000056537af3c917 in address_space_stw_le_cached (attrs=..., result=<optimized out>, cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88
+#5  0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121
+#6  0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>, cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196
+#7  0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0) at ../hw/virtio/virtio.c:429
+#8  0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438
+#9  0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>, enable=0x1) at ../hw/virtio/virtio.c:499
+#10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0, vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795
+#11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at ../hw/virtio/virtio.c:2326
+#12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized out>) at ../hw/virtio/virtio.c:3533
+#13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0, node=0x7f71a810b370) at ../util/aio-posix.c:329
+#14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at ../util/aio-posix.c:372
+#15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at ../util/aio-posix.c:382
+#16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2, callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306
+#17 0x00007f71d1c10417 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
+#18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232
+#19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at ../util/main-loop.c:255
+#20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:531
+#21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720
+#22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15, argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at ../softmmu/main.c:50
+#23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>, argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310
+#24 0x000056537a92894a in _start ()
+
+```
+
+To reproduce this issue, please run the QEMU with the following command line.
+
+```
+
+# To reproduce this issue, please run the QEMU process with the following command line.
+
+$ qemu-system-i386 -m 512  -drive file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-pci,drive=drive0,id=virtblk0,num-queues=4 -drive file=disk.img,if=none,id=drive0
+
+```
+
+Please let me know if I can provide any further info.
+
+Thank you.
+
+
+
+This is OSS-Fuzz Issue 26797
+
+=== Reproducer ===
+cat << EOF | ./qemu-system-i386 -machine q35 \
+-device virtio-blk,drive=disk0 \
+-drive file=null-co://,id=disk0,if=none,format=raw \
+-serial none -monitor none -qtest stdio -nographic 
+outl 0xcf8 0x80001890
+outl 0xcfc 0x4
+outl 0xcf8 0x8000188a
+outl 0xcfc 0xd4624
+outl 0xcf8 0x80001894
+outl 0xcfc 0x20000002
+outl 0xcf8 0x80001889
+outl 0xcfc 0x18000000
+outl 0xcf8 0x80001896
+outl 0xcfc 0x0
+outl 0xcf8 0x8000188c
+outw 0xcfc 0x20
+outl 0xcf8 0x80001894
+outl 0xcfc 0x1
+outl 0xcf8 0x8000188c
+outw 0xcfc 0x1c
+outl 0xcf8 0x80001895
+outl 0xcfc 0x0
+outl 0xcf8 0x80001889
+outl 0xcfc 0x18000000
+outl 0xcf8 0x80001894
+outl 0xcfc 0x40
+outl 0xcf8 0x8000188c
+outw 0xcfc 0x14
+outl 0xcf8 0x80001894
+outl 0xcfc 0x1004
+EOF
+
+=== Stack Trace ===
+qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
+
+==2382430== ERROR: libFuzzer: deadly signal
+#8 address_space_stw_le_cached /src/qemu/include/exec/memory_ldst_cached.h.inc:88:5
+#9 stw_le_phys_cached /src/qemu/include/exec/memory_ldst_phys.h.inc:121:5
+#10 virtio_stw_phys_cached /src/qemu/include/hw/virtio/virtio-access.h:196:9
+#11 vring_set_avail_event /src/qemu/hw/virtio/virtio.c:429:5
+#12 virtio_queue_split_set_notification /src/qemu/hw/virtio/virtio.c:438:9
+#13 virtio_queue_set_notification /src/qemu/hw/virtio/virtio.c:499:9
+#14 virtio_blk_handle_vq /src/qemu/hw/block/virtio-blk.c:795:13
+#15 virtio_blk_data_plane_handle_output /src/qemu/hw/block/dataplane/virtio-blk.c:165:12
+#16 virtio_queue_notify_aio_vq /src/qemu/hw/virtio/virtio.c:2326:15
+#17 virtio_queue_host_notifier_aio_read /src/qemu/hw/virtio/virtio.c:3533:9
+#18 aio_dispatch_handler /src/qemu/util/aio-posix.c:329:9
+#19 aio_dispatch_handlers /src/qemu/util/aio-posix.c:372:20
+#20 aio_dispatch /src/qemu/util/aio-posix.c:382:5
+#21 aio_ctx_dispatch /src/qemu/util/async.c:306:5
+#22 g_main_context_dispatch
+#23 glib_pollfds_poll /src/qemu/util/main-loop.c:232:9
+#24 os_host_main_loop_wait /src/qemu/util/main-loop.c:255:5
+#25 main_loop_wait /src/qemu/util/main-loop.c:531:11
+#26 flush_events /src/qemu/tests/qtest/fuzz/fuzz.c:49:9
+#27 generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:683:17
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.6797
+
+
+This is an automated cleanup. This bug report has been moved to QEMU's
+new bug tracker on gitlab.com and thus gets marked as 'expired' now.
+Please continue with the discussion here:
+
+ https://gitlab.com/qemu-project/qemu/-/issues/301
+
+