diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-07-03 07:27:52 +0000 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-07-03 07:27:52 +0000 |
| commit | d0c85e36e4de67af628d54e9ab577cc3fad7796a (patch) | |
| tree | f8f784b0f04343b90516a338d6df81df3a85dfa2 /results/classifier/gemma3:12b/device/1878259 | |
| parent | 7f4364274750eb8cb39a3e7493132fca1c01232e (diff) | |
| download | qemu-analysis-d0c85e36e4de67af628d54e9ab577cc3fad7796a.tar.gz qemu-analysis-d0c85e36e4de67af628d54e9ab577cc3fad7796a.zip | |
add deepseek and gemma results
Diffstat (limited to 'results/classifier/gemma3:12b/device/1878259')
| -rw-r--r-- | results/classifier/gemma3:12b/device/1878259 | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/results/classifier/gemma3:12b/device/1878259 b/results/classifier/gemma3:12b/device/1878259 new file mode 100644 index 000000000..ad76d8d4b --- /dev/null +++ b/results/classifier/gemma3:12b/device/1878259 @@ -0,0 +1,55 @@ + +Null-pointer dereference in megasas_handle_frame + +Hello, +While fuzzing, I found an input that triggers a null-pointer dereference in megasas_handle_frame: + +==1595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55e3e83e6e08 bp 0x7ffdb04c63b0 sp 0x7ffd +==1595==The signal is caused by a READ memory access. +==1595==Hint: address points to the zero page. + #0 0x55e3e83e6e08 in megasas_handle_frame /home/alxndr/Development/qemu/hw/scsi/megasas.c:1952:36 + #1 0x55e3e83e6e08 in megasas_mmio_write /home/alxndr/Development/qemu/hw/scsi/megasas.c:2122:9 + #2 0x55e3e7d088d6 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5 + #3 0x55e3e7d0827f in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18 + #4 0x55e3e7d0827f in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16 + #5 0x55e3e7c1d1d3 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23 + #6 0x55e3e7c15b97 in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14 + #7 0x55e3e7c15b97 in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18 + #8 0x55e3e7d03bc4 in qtest_process_command /home/alxndr/Development/qemu/qtest.c:567:9 + #9 0x55e3e7cfe74d in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9 + #10 0x55e3e8804cad in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9 + #11 0x7f602ef2a897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897) + #12 0x55e3e8948384 in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9 + #13 0x55e3e8948384 in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5 + #14 0x55e3e8948384 in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11 + #15 0x55e3e7f27676 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9 + #16 0x55e3e8851c6a in main /home/alxndr/Development/qemu/softmmu/main.c:49:5 + #17 0x7f602dadae0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16 + #18 0x55e3e7b5c7b9 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x9027b9) + +I can reproduce it in qemu 5.0 using: + +cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -qtest stdio -nographic -monitor none -serial none -M q35 -device megasas +outl 0xcf8 0x80001814 +outl 0xcfc 0xc021 +outl 0xcf8 0x80001818 +outl 0xcf8 0x80001804 +outw 0xcfc 0x7 +outl 0xcf8 0x80001810 +outl 0xcfc 0xe10c0000 +outl 0xcf8 0x8000f810 +outl 0xcf8 0x8000fa24 +outl 0xcfc 0xe10c4000 +outl 0xcf8 0x8000fa04 +outw 0xcfc 0x7 +outl 0xcf8 0x8000fb20 +write 0xe10c4384 0x15 0x838383838383838383838383838383838383838383 +write 0xc021e10c00c0 0x4 0x082c04dd +EOF + +I also attached the commands to this launchpad report, in case the formatting is broken: + +qemu-system-i386 -qtest stdio -nographic -monitor none -serial none -M q35 -device megasas < attachment + +Please let me know if I can provide any further info. +-Alex \ No newline at end of file |