summary refs log tree commit diff stats
path: root/gitlab/issues/target_missing/host_missing/accel_missing/2740.toml
diff options
context:
space:
mode:
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_missing/2740.toml')
-rw-r--r--gitlab/issues/target_missing/host_missing/accel_missing/2740.toml75
1 files changed, 0 insertions, 75 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/2740.toml b/gitlab/issues/target_missing/host_missing/accel_missing/2740.toml
deleted file mode 100644
index bc9ddfec4..000000000
--- a/gitlab/issues/target_missing/host_missing/accel_missing/2740.toml
+++ /dev/null
@@ -1,75 +0,0 @@
-id = 2740
-title = "Out-of-bounds access and heap-use-after-free in smc91c111_writeb()"
-state = "closed"
-created_at = "2024-12-22T03:02:36.213Z"
-closed_at = "2024-12-22T22:26:19.976Z"
-labels = []
-url = "https://gitlab.com/qemu-project/qemu/-/issues/2740"
-host-os = "Ubuntu"
-host-arch = "x86_64"
-qemu-version = "commit 65cb7129f4160"
-guest-os = "n/a"
-guest-arch = "ARM"
-description = """An out-of-bounds access bug was triggered by my fuzzer.
-
-The error is:
-
-```
-../hw/net/smc91c111.c:457:17: runtime error: index 48 out of bounds for type 'uint8_t[4][2048]' (aka 'unsigned char[4][2048]')
-SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/net/smc91c111.c:457:17 in
-=================================================================
-==60006==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000385b4 at pc 0x5de3d1ac6add bp 0x7ffc4d4b2b30 sp 0x7ffc4d4b2b28
-WRITE of size 1 at 0x6290000385b4 thread T0
-warning: DWARF unit at offset 0x00417a37 has unsupported address size: 31 (supported are 2, 4, 8)
-    #0 0x5de3d1ac6adc in smc91c111_writeb smc91c111.c
-    #1 0x5de3d1abf6e3 in smc91c111_writefn smc91c111.c
-    #2 0x5de3d2d9e2d3 in memory_region_write_accessor memory.c
-    #3 0x5de3d2d9da4a in access_with_adjusted_size memory.c
-    #4 0x5de3d2d9ce78 in memory_region_dispatch_write
-    #5 0x5de3d2df5e44 in flatview_write_continue_step physmem.c
-    #6 0x5de3d2de2d40 in flatview_write physmem.c
-    #7 0x5de3d2de29d7 in address_space_write
-    ...
-
-0x6290000385b4 is located 5044 bytes inside of 16176-byte region [0x629000037200,0x62900003b130)
-freed by thread T0 here:
-    #0 0x5de3d1100027 in __interceptor_free.part.0 asan_malloc_linux.cpp
-    #1 0x5de3d2f35106 in object_unref
-    #2 0x5de3d24ac45c in qemu_get_nic_models
-    #3 0x5de3d24acead in qemu_create_nic_bus_devices
-    #4 0x5de3d2722553 in realview_init realview.c
-    #5 0x5de3d1468182 in machine_run_board_init
-    #6 0x5de3d237e40a in qmp_x_exit_preconfig
-    #7 0x5de3d238505c in qemu_init
-    ...
-
-previously allocated by thread T0 here:
-    #0 0x5de3d1101217 in malloc
-    #1 0x7ea39d40a738 in g_malloc
-    #2 0x5de3d24acead in qemu_create_nic_bus_devices
-    #3 0x5de3d2722553 in realview_init realview.c
-    #4 0x5de3d1468182 in machine_run_board_init
-    #5 0x5de3d237e40a in qmp_x_exit_preconfig
-    #6 0x5de3d238505c in qemu_init
-    ...
-```"""
-reproduce = """```
-export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine realview-eb"
-cat << EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio
-clock_step
-readw 0x4e000000
-readw 0x4e000000
-clock_step
-writel 0x4e00000c 0x2402e660
-readb 0x4e000008
-readl 0x4e000000
-clock_step
-readb 0x4e000000
-writel 0x4e000000 0x66308c81
-writew 0x4e000008 0xe40ba4c
-readb 0x4e000000
-readw 0x4e000000
-readl 0x4e000008
-EOF
-```"""
-additional = """"""