diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-06-16 16:59:00 +0000 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-06-16 16:59:33 +0000 |
| commit | 9aba81d8eb048db908c94a3c40c25a5fde0caee6 (patch) | |
| tree | b765e7fb5e9a3c2143c68b0414e0055adb70e785 /results/classifier/118/all/1911216 | |
| parent | b89a938452613061c0f1f23e710281cf5c83cb29 (diff) | |
| download | qemu-analysis-9aba81d8eb048db908c94a3c40c25a5fde0caee6.tar.gz qemu-analysis-9aba81d8eb048db908c94a3c40c25a5fde0caee6.zip | |
add 18th iteration of classifier
Diffstat (limited to 'results/classifier/118/all/1911216')
| -rw-r--r-- | results/classifier/118/all/1911216 | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/results/classifier/118/all/1911216 b/results/classifier/118/all/1911216 new file mode 100644 index 000000000..97df6870e --- /dev/null +++ b/results/classifier/118/all/1911216 @@ -0,0 +1,118 @@ +user-level: 0.973 +register: 0.957 +mistranslation: 0.956 +peripherals: 0.955 +i386: 0.948 +risc-v: 0.944 +device: 0.944 +permissions: 0.939 +arm: 0.932 +boot: 0.931 +assembly: 0.931 +semantic: 0.930 +graphic: 0.930 +debug: 0.930 +performance: 0.929 +virtual: 0.926 +files: 0.923 +x86: 0.923 +ppc: 0.923 +socket: 0.919 +vnc: 0.916 +architecture: 0.914 +KVM: 0.913 +VMM: 0.913 +TCG: 0.911 +hypervisor: 0.907 +network: 0.905 +PID: 0.900 +kernel: 0.900 + +abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary + +Hello, + +I found an assertion failure in hw/usb/hcd-ohci.c:1297 + +This was found in latest version 5.2.0. + +my reproduced environment is as follows: + Host: ubuntu 18.04 + Guest: ubuntu 18.04 + +QEMU boot command line: +qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1 + + +backtrace is as follows +pwndbg> bt +#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 +#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89 +#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at hw/usb/hcd-ohci.c:1297 +#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at util/qemu-timer.c:572 +#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:586 +#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672 +#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523 +#7 0x000055c6125d87e9 in qemu_main_loop () at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676 +#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28, envp=0x7fff174cdd68) at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49 +#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>, argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291 +#10 0x000055c6120a4349 in _start () + +The poc is attached. + + + +Seems to be the same as OSS-Fuzz Issue 29224 + +=== Reproducer === +cat << EOF | ./qemu-system-i386 -machine q35 \ +-machine accel=qtest, -m 512M -nodefaults \ +-device pci-ohci -display none -qtest stdio +outl 0xcf8 0x80000801 +outl 0xcfc 0x16000000 +outl 0xcf8 0x80000813 +outl 0xcfc 0x23 +clock_step +write 0x23000004 0x1 0x84 +clock_step +write 0x0 0x1 0x7e +write 0x1 0x1 0xaa +write 0x3 0x1 0x16 +write 0x1600aa8a 0x1 0xa0 +write 0xa1 0x1 0x80 +write 0xa4 0x1 0x20 +clock_step +EOF + +=== Stack Trace === +==6351==ERROR: AddressSanitizer: ABRT on unknown address 0x0539000018cf (pc 0x7f675c885438 bp 0x7fff157e6150 sp 0x7fff157e5e68 T0) +#0 raise +#1 abort +#2 ohci_frame_boundary /src/qemu/hw/usb/hcd-ohci.c:1297:13 +#3 timerlist_run_timers /src/qemu/util/qemu-timer.c:574:9 +#4 qemu_clock_run_timers /src/qemu/util/qemu-timer.c:588:12 +#5 qtest_clock_warp /src/qemu/softmmu/qtest.c:356:9 +#6 qtest_process_command /src/qemu/softmmu/qtest.c:752:9 +#7 qtest_process_inbuf /src/qemu/softmmu/qtest.c:797:9 +#8 qtest_server_inproc_recv /src/qemu/softmmu/qtest.c:904:9 +#9 send_wrapper /src/qemu/tests/qtest/libqtest.c:1388:5 +#10 qtest_sendf /src/qemu/tests/qtest/libqtest.c:438:5 +#11 qtest_clock_step_next /src/qemu/tests/qtest/libqtest.c:910:5 +#12 op_clock_step /src/qemu/tests/qtest/fuzz/generic_fuzz.c:575:5 +#13 generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:681:17 + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29176 + + +Hi! Can you still reproduce this issue with QEMU v6.0 ? At least Alexander's reproducer does not seem to trigger this issue anymore... + +OSS-Fuzz still has a functioning reproducer. I'll copy this one over to gitlab + +I moved this report over to QEMU's new bug tracker on gitlab.com. +Please continue with the discussion here: + +https://gitlab.com/qemu-project/qemu/-/issues/545 + +Thanks for moving it over! ... let's close this one here on Launchpad now. + + |