diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-07-03 07:27:52 +0000 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-07-03 07:27:52 +0000 |
| commit | d0c85e36e4de67af628d54e9ab577cc3fad7796a (patch) | |
| tree | f8f784b0f04343b90516a338d6df81df3a85dfa2 /results/classifier/gemma3:12b/hypervisor/1914353 | |
| parent | 7f4364274750eb8cb39a3e7493132fca1c01232e (diff) | |
| download | qemu-analysis-d0c85e36e4de67af628d54e9ab577cc3fad7796a.tar.gz qemu-analysis-d0c85e36e4de67af628d54e9ab577cc3fad7796a.zip | |
add deepseek and gemma results
Diffstat (limited to 'results/classifier/gemma3:12b/hypervisor/1914353')
| -rw-r--r-- | results/classifier/gemma3:12b/hypervisor/1914353 | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/results/classifier/gemma3:12b/hypervisor/1914353 b/results/classifier/gemma3:12b/hypervisor/1914353 new file mode 100644 index 000000000..1446114c1 --- /dev/null +++ b/results/classifier/gemma3:12b/hypervisor/1914353 @@ -0,0 +1,51 @@ + +QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID + +Via [qemu-security] list + ++-- On Sun, 31 Jan 2021, Philippe Mathieu-Daudé wrote --+ +| On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote: +| > Per the ARM Generic Interrupt Controller Architecture specification +| > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, +| > not 10: +| > +| > - Table 4-21 GICD_SGIR bit assignments +| > +| > The Interrupt ID of the SGI to forward to the specified CPU +| > interfaces. The value of this field is the Interrupt ID, in +| > the range 0-15, for example a value of 0b0011 specifies +| > Interrupt ID 3. +| > +... +| > Correct the irq mask to fix an undefined behavior (which eventually +| > lead to a heap-buffer-overflow, see [Buglink]): +| > +| > $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio +| > [I 1612088147.116987] OPENED +| > [R +0.278293] writel 0x8000f00 0xff4affb0 +| > ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' +| > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 +| > +| > Cc: <email address hidden> +| > Fixes: 9ee6e8bb853 ("ARMv7 support.") +| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 +| > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 +... + +On 210202 1221, Peter Maydell wrote: +> In both cases the overrun is on the first writel to 0x8000f00, +> but the fuzzer has for some reason not reported that but instead +> blundered on until it happens to trigger some other issue that +> resulted from the memory corruption it induced with the first write. +> +... +> On the CVE: +> +> Since this can affect systems using KVM, this is a security bug for +> us. However, it only affects an uncommon configuration: +> you are only vulnerable if you are using "kernel-irqchip=off" +> (the default is 'on', and turning it off is an odd thing to do). +> +> thanks +> -- PMM +> \ No newline at end of file |