summary refs log tree commit diff stats
path: root/gitlab/issues/target_missing/host_missing/accel_missing/1393.toml
diff options
context:
space:
mode:
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_missing/1393.toml')
-rw-r--r--gitlab/issues/target_missing/host_missing/accel_missing/1393.toml73
1 files changed, 0 insertions, 73 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/1393.toml b/gitlab/issues/target_missing/host_missing/accel_missing/1393.toml
deleted file mode 100644
index a9799d670..000000000
--- a/gitlab/issues/target_missing/host_missing/accel_missing/1393.toml
+++ /dev/null
@@ -1,73 +0,0 @@
-id = 1393
-title = "Abort in audio_calloc()  of ac97"
-state = "closed"
-created_at = "2022-12-25T12:05:43.116Z"
-closed_at = "2022-12-28T08:22:16.002Z"
-labels = []
-url = "https://gitlab.com/qemu-project/qemu/-/issues/1393"
-host-os = "Ubuntu 20.04"
-host-arch = "x86"
-qemu-version = "7.0.94"
-guest-os = "Buildroot Linux"
-guest-arch = "x86"
-description = """Section 5.10.2 of the AC97 specification (https://hands.com/~lkcl/ac97_r23.pdf)
-shows the feasibility to support for rates other than 48kHZ. Specifically,
-AC97_PCM_Front_DAC_Rate (reg 2Ch) should be from 8kHZ to 48kHZ.
-
-
-An adversary can leverage this to crash QEMU.
-
-A nornal 48kHZ setting is like this.
-
-```
-ac97_realize
-  open_voice
-    as->freq = 0xbb80 # 0xbb80=48000
-    AUD_open_out
-      audio_pcm_create_voice_pair_out (sw is NULL)
-        audio_pcm_sw_init_out
-          sw->info.freq = as->freq (in audio_pcm_init_info())
-          sw->ratio = ((int64_t) sw->hw->info.freq << 32) / sw->info.freq
-          samples = ((int64_t) sw->HWBUF->size << 32) / sw->ratio (in audio_pcm_sw_alloc_resources_out())
-```
-
-A non-48kHZ setting is like this. Since `as->freq` is too small, `sw->ratio` is
-too large. Finally, `samples` is zero, failing the audio_calloc() in
-audio_pcm_sw_alloc_resources_out().
-
-```
-nam_writew
-  open_voice
-    as->freq = 0x6
-    AUD_open_out
-      audio_pcm_sw_init_out (sw is not NULL)
-        sw->info.freq = as->freq (in audio_pcm_init_info())
-        sw->ratio = ((int64_t) sw->hw->info.freq << 32) / sw->info.freq
-        samples = ((int64_t) sw->HWBUF->size << 32) / sw->ratio (in audio_pcm_sw_alloc_resources_out())
-        audio_calloc(.., samples, ) (in audio_pcm_sw_alloc_resources_out())
-```"""
-reproduce = """1. download the prepared rootfs and the image.
-
-    https://drive.google.com/file/d/1IfVCvn76HY-Eb4AZU7yvuyPzM3QC1q10/view?usp=sharing
-    https://drive.google.com/file/d/1JN6JgvOSI5aSLIdTEFKiskKbrGWFo0BO/view?usp=sharing
-
-2. run the following script.
-
-``` bash
-QEMU_PATH=../../../qemu-devel/build/x86_64-softmmu/qemu-system-x86_64
-KERNEL_PATH=./bzImage
-ROOTFS_PATH=./rootfs.ext2
-$QEMU_PATH \\
-    -M q35 -m 1G \\
-    -kernel $KERNEL_PATH \\
-    -drive file=$ROOTFS_PATH,if=virtio,format=raw \\
-    -append "root=/dev/vda console=ttyS0" \\
-    -net nic,model=virtio -net user \\
-    -device ac97,audiodev=snd0 -audiodev none,id=snd0 \\
-    -nographic
-```
-
-3. with spawned shell (the user is root and the password is empty), run
-`ac97-00`."""
-additional = """In the latest QEMU, this issue was generally fixed by 12f4abf6a245c43d8411577fd400373c85f08c6b and 0cbc8bd4694f32687bf47c6da48efa48fac35fd2 that remove abort() from the source code. Even though, I still plan to send a
-patch so that the warning about the invalid freq will be gone."""