diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-06-16 16:59:00 +0000 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-06-16 16:59:33 +0000 |
| commit | 9aba81d8eb048db908c94a3c40c25a5fde0caee6 (patch) | |
| tree | b765e7fb5e9a3c2143c68b0414e0055adb70e785 /results/classifier/118/permissions/2296 | |
| parent | b89a938452613061c0f1f23e710281cf5c83cb29 (diff) | |
| download | qemu-analysis-9aba81d8eb048db908c94a3c40c25a5fde0caee6.tar.gz qemu-analysis-9aba81d8eb048db908c94a3c40c25a5fde0caee6.zip | |
add 18th iteration of classifier
Diffstat (limited to 'results/classifier/118/permissions/2296')
| -rw-r--r-- | results/classifier/118/permissions/2296 | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/results/classifier/118/permissions/2296 b/results/classifier/118/permissions/2296 new file mode 100644 index 000000000..3314b07d7 --- /dev/null +++ b/results/classifier/118/permissions/2296 @@ -0,0 +1,127 @@ +permissions: 0.803 +graphic: 0.772 +register: 0.758 +arm: 0.755 +virtual: 0.733 +user-level: 0.708 +assembly: 0.705 +PID: 0.704 +device: 0.698 +architecture: 0.693 +performance: 0.692 +debug: 0.689 +semantic: 0.668 +TCG: 0.647 +x86: 0.642 +ppc: 0.628 +boot: 0.628 +peripherals: 0.626 +mistranslation: 0.619 +risc-v: 0.601 +hypervisor: 0.591 +KVM: 0.581 +vnc: 0.562 +files: 0.540 +i386: 0.532 +VMM: 0.528 +network: 0.499 +kernel: 0.497 +socket: 0.391 + +heap-buffer-overflow in virtio-sound +Description of problem: +The following log reveals it: + +``` +==3191578==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000068620 at pc 0x55dadcde4ec5 bp 0x7ffe7f18aef0 sp 0x7ffe7f18aee0 +READ of size 8 at 0x602000068620 thread T0 + #0 0x55dadcde4ec4 in virtio_snd_handle_rx_xfer ../hw/audio/virtio-snd.c:988 + #1 0x55daddffbf5e in virtio_queue_notify ../hw/virtio/virtio.c:2296 + #2 0x55dadd6cff4a in virtio_pci_notify_write ../hw/virtio/virtio-pci.c:1721 + #3 0x55dade0ab336 in memory_region_write_accessor ../system/memory.c:497 + #4 0x55dade0af3d0 in access_with_adjusted_size ../system/memory.c:573 + #5 0x55dade0b5032 in memory_region_dispatch_write ../system/memory.c:1528 + #6 0x55dade0ebb62 in flatview_write_continue_step ../system/physmem.c:2713 + #7 0x55dade0ebfb2 in flatview_write_continue ../system/physmem.c:2743 + #8 0x55dade0ebfb2 in flatview_write ../system/physmem.c:2774 + #9 0x55dade0edd58 in address_space_write ../system/physmem.c:2894 + #10 0x55dadd809972 in qtest_process_command ../system/qtest.c:679 + #11 0x55dadd80c3e2 in qtest_process_inbuf ../system/qtest.c:811 + #12 0x55dade6e79a4 in fd_chr_read ../chardev/char-fd.c:72 + #13 0x7f79b0d29c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) + #14 0x55dade998bcf in glib_pollfds_poll ../util/main-loop.c:287 + #15 0x55dade998bcf in os_host_main_loop_wait ../util/main-loop.c:310 + #16 0x55dade998bcf in main_loop_wait ../util/main-loop.c:589 + #17 0x55dadd810e00 in qemu_main_loop ../system/runstate.c:783 + #18 0x55dade2b703a in qemu_default_main ../system/main.c:37 + #19 0x7f79afe29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #20 0x7f79afe29e3f in __libc_start_main_impl ../csu/libc-start.c:392 + #21 0x55dadcb5a284 in _start (/home/joey/repo/qemu/build/qemu-system-x86_64+0x2ef6284) + +0x602000068620 is located 0 bytes to the right of 16-byte region [0x602000068610,0x602000068620) +allocated by thread T0 here: + #0 0x7f79b18b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 + #1 0x7f79b0d32c50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50) + #2 0x55dadebf5847 (/home/joey/repo/qemu/build/qemu-system-x86_64+0x4f91847) + +SUMMARY: AddressSanitizer: heap-buffer-overflow ../hw/audio/virtio-snd.c:988 in virtio_snd_handle_rx_xfer +Shadow bytes around the buggy address: + 0x0c0480005070: fa fa 05 fa fa fa 07 fa fa fa 00 01 fa fa 07 fa + 0x0c0480005080: fa fa 05 fa fa fa 07 fa fa fa 00 03 fa fa fd fd + 0x0c0480005090: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 06 + 0x0c04800050a0: fa fa 00 00 fa fa 00 00 fa fa 00 01 fa fa 05 fa + 0x0c04800050b0: fa fa 00 03 fa fa 00 03 fa fa 00 01 fa fa 00 05 +=>0x0c04800050c0: fa fa 00 00[fa]fa 00 00 fa fa 00 04 fa fa 00 00 + 0x0c04800050d0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa + 0x0c04800050e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa + 0x0c04800050f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa + 0x0c0480005100: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa + 0x0c0480005110: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc +``` +Steps to reproduce: +``` +cat << EOF | qemu-system-x86_64 -display none \ +-machine accel=qtest -m 512M -machine q35 -device \ +virtio-sound,audiodev=my_audiodev,streams=2 -audiodev \ +alsa,id=my_audiodev -qtest stdio +outl 0xcf8 0x80001804 +outw 0xcfc 0x06 +outl 0xcf8 0x80001820 +outl 0xcfc 0xe0008000 +write 0xe0008016 0x1 0x03 +write 0xe0008020 0x4 0x00901000 +write 0xe0008028 0x4 0x00a01000 +write 0xe000801c 0x1 0x01 +write 0xe000a004 0x1 0x40 +write 0x10c000 0x1 0x02 +write 0x109001 0x1 0xc0 +write 0x109002 0x1 0x10 +write 0x109008 0x1 0x04 +write 0x10a002 0x1 0x01 +write 0xe000b00d 0x1 0x00 +EOF +``` + +# Possible Fix + +check the user-assigned value in virtio_snd_set_config() |