diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-06-16 16:59:00 +0000 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-06-16 16:59:33 +0000 |
| commit | 9aba81d8eb048db908c94a3c40c25a5fde0caee6 (patch) | |
| tree | b765e7fb5e9a3c2143c68b0414e0055adb70e785 /results/classifier/118/none/1878263 | |
| parent | b89a938452613061c0f1f23e710281cf5c83cb29 (diff) | |
| download | qemu-analysis-9aba81d8eb048db908c94a3c40c25a5fde0caee6.tar.gz qemu-analysis-9aba81d8eb048db908c94a3c40c25a5fde0caee6.zip | |
add 18th iteration of classifier
Diffstat (limited to 'results/classifier/118/none/1878263')
| -rw-r--r-- | results/classifier/118/none/1878263 | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/results/classifier/118/none/1878263 b/results/classifier/118/none/1878263 new file mode 100644 index 000000000..8fb354e3b --- /dev/null +++ b/results/classifier/118/none/1878263 @@ -0,0 +1,79 @@ +user-level: 0.740 +virtual: 0.730 +risc-v: 0.712 +VMM: 0.704 +x86: 0.693 +KVM: 0.688 +TCG: 0.669 +hypervisor: 0.659 +vnc: 0.646 +device: 0.642 +graphic: 0.637 +peripherals: 0.633 +performance: 0.632 +ppc: 0.625 +mistranslation: 0.624 +register: 0.624 +i386: 0.618 +semantic: 0.616 +architecture: 0.610 +arm: 0.607 +assembly: 0.599 +permissions: 0.594 +debug: 0.586 +files: 0.567 +PID: 0.564 +boot: 0.564 +network: 0.545 +socket: 0.544 +kernel: 0.533 + +Assertion-failure in scsi_dma_complete, with megasas + +Hello, +While fuzzing, I found an input that triggers an assertion-failure in scsi_dma_complete, with megasas: + +#3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556efa460 <str> "r->req.aiocb != NULL", file=0x555556ef9b20 <str> "/home/alxndr/Development/qemu/hw/scsi/scsi-disk.c", line=0x124, function=0x555556efa560 <__PRETTY_FUNCTION__.scsi_dma_complete> "void scsi_dma_complete(void *, int)") at assert.c:101 +#4 0x000055555669d473 in scsi_dma_complete (opaque=0x616000040280, ret=<optimized out>) at /home/alxndr/Development/qemu/hw/scsi/scsi-disk.c:292 +#5 0x000055555639c89b in dma_complete (dbs=<optimized out>, ret=<optimized out>) at /home/alxndr/Development/qemu/dma-helpers.c:118 +#6 0x000055555639c89b in dma_blk_cb (opaque=<optimized out>, ret=<optimized out>) at /home/alxndr/Development/qemu/dma-helpers.c:136 +#7 0x000055555639bd58 in dma_blk_io (ctx=<optimized out>, sg=<optimized out>, offset=<optimized out>, align=<optimized out>, io_func=<optimized +out>, io_func_opaque=<optimized out>, cb=<optimized out>, opaque=<optimized out>, dir=<optimized out>) at /home/alxndr/Development/qemu/dma-helpers.c:232 +#8 0x000055555669baa5 in scsi_write_data (req=0x616000040280) at /home/alxndr/Development/qemu/hw/scsi/scsi-disk.c:583 +#9 0x00005555566b5d93 in scsi_req_continue (req=0x616000040280) at /home/alxndr/Development/qemu/hw/scsi/scsi-bus.c:1337 +#10 0x00005555566f52e3 in megasas_enqueue_req (cmd=<optimized out>, is_write=<optimized out>) at /home/alxndr/Development/qemu/hw/scsi/megasas.c:1651 +#11 0x00005555566e276f in megasas_handle_io (s=<optimized out>, cmd=<optimized out>, frame_cmd=<optimized out>) at /home/alxndr/Development/qemu/hw/scsi/megasas.c:1790 +#12 0x00005555566e276f in megasas_handle_frame (s=<optimized out>, frame_addr=<optimized out>, frame_count=<optimized out>) at /home/alxndr/Development/qemu/hw/scsi/megasas.c:1969 +#13 0x00005555566e276f in megasas_mmio_write (opaque=<optimized out>, addr=<optimized out>, val=<optimized out>, size=<optimized out>) at /home/alxndr/Development/qemu/hw/scsi/megasas.c:2122 +#14 0x00005555560028d7 in memory_region_write_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:483 +#15 0x0000555556002280 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x7fffeeb301e0, attrs=...) at /home/alxndr/Development/qemu/memory.c:544 +#16 0x0000555556002280 in memory_region_dispatch_write (mr=<optimized out>, addr=<optimized out>, data=0x17, op=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:1476 +#17 0x0000555555f171d4 in flatview_write_continue (fv=<optimized out>, addr=0xc1c0, attrs=..., ptr=<optimized out>, len=0x1, addr1=0x7fffffffae00, l=<optimized out>, mr=0x7fffeeb301e0) at /home/alxndr/Development/qemu/exec.c:3137 +#18 0x0000555555f0fb98 in flatview_write (fv=0x606000038180, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /home/alxndr/Development/qemu/exec.c:3177 + + +I can reproduce it in qemu 5.0 using: + +cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -qtest stdio -nographic -monitor none -serial none -M q35 -device megasas -device scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 +outl 0xcf8 0x80001818 +outl 0xcfc 0xc101 +outl 0xcf8 0x8000181c +outl 0xcf8 0x80001804 +outw 0xcfc 0x7 +outl 0xcf8 0x8000186a +write 0x14 0x1 0xfe +write 0x0 0x1 0x02 +outb 0xc1c0 0x17 +EOF + +I also attached the commands to this launchpad report, in case the formatting is broken: + +qemu-system-i386 -qtest stdio -nographic -monitor none -serial none -M q35 -device megasas -device scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 < attachment + +Please let me know if I can provide any further info. +-Alex + + + +Fixed in commit 4773a5f35b0d83674f92816a226a594b03bbcf60 + |