summary refs log tree commit diff stats
path: root/gitlab/issues/target_missing/host_missing/accel_missing/2742.toml
diff options
context:
space:
mode:
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_missing/2742.toml')
-rw-r--r--gitlab/issues/target_missing/host_missing/accel_missing/2742.toml74
1 files changed, 0 insertions, 74 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/2742.toml b/gitlab/issues/target_missing/host_missing/accel_missing/2742.toml
deleted file mode 100644
index fd41e975c..000000000
--- a/gitlab/issues/target_missing/host_missing/accel_missing/2742.toml
+++ /dev/null
@@ -1,74 +0,0 @@
-id = 2742
-title = "heap-buffer-overflow in smc91c111_do_tx()"
-state = "closed"
-created_at = "2024-12-23T06:20:28.277Z"
-closed_at = "2025-03-13T07:03:14.247Z"
-labels = ["Fuzzer", "Networking", "workflow::Patch available"]
-url = "https://gitlab.com/qemu-project/qemu/-/issues/2742"
-host-os = "Ubuntu"
-host-arch = "x86_64"
-qemu-version = "commit aa3a285b5"
-guest-os = "n/a"
-guest-arch = "ARM"
-description = """A buffer-overflow bug was triggered by my fuzzer at smc91c111_do_tx().
-
-I've patched hw/net/smc91c111.c with:
-
-```
-diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
-index 702d0e8e83..286298bf06 100644
---- a/hw/net/smc91c111.c
-+++ b/hw/net/smc91c111.c
-@@ -429,7 +429,7 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,
-              /* Ignore.  */
-              return;
-          case 2: /* Packet Number Register */
--            s->packet_num = value;
-+            s->packet_num = value & (NUM_PACKETS - 1);
-              return;
-          case 3: case 4: case 5:
-              /* Should be readonly, but linux writes to them anyway. Ignore.  */
-```
-
-The error is:
-
-```
-==2724739==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000022941 at pc 0x595ebbed687b bp 0x7fffa0098a50 sp 0x7fffa0098a48
-READ of size 1 at 0x629000022941 thread T0
-    #0 0x595ebbed687a in smc91c111_do_tx hw/net/smc91c111.c:240:19
-    #1 0x595ebbed687a in smc91c111_queue_tx hw/net/smc91c111.c:284:5
-    #2 0x595ebbed687a in smc91c111_writeb hw/net/smc91c111.c:419:17
-    #3 0x595ebbed687a in smc91c111_writefn hw/net/smc91c111.c:666:9
-    #4 0x595ebd174d33 in memory_region_write_accessor system/memory.c:497:5
-    #5 0x595ebd1744aa in access_with_adjusted_size system/memory.c:573:18
-    #6 0x595ebd1738d8 in memory_region_dispatch_write system/memory.c
-    #7 0x595ebd1cc984 in flatview_write_continue_step system/physmem.c:2786:18
-    #8 0x595ebd1b9880 in flatview_write_continue system/physmem.c:2816:19
-    #9 0x595ebd1b9880 in flatview_write system/physmem.c:2847:12
-    #10 0x595ebd1b9517 in address_space_write system/physmem.c:2967:18
-    #11 0x595ebc77d5c3 in qtest_process_command system/qtest.c:522:13
-    #12 0x595ebc77b83b in qtest_process_inbuf system/qtest.c:776:9
-    ...
-```"""
-reproduce = """```
-export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine realview-eb"
-cat << EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio
-clock_step
-clock_step
-writel 0x4e000000 0x2b1e08f5
-writew 0x4e000000 0x2b1e08f5
-writel 0x4e00000c 0x66027d24
-clock_step
-readb 0x4e000000
-writel 0x4e000008 0x238e1f29
-writew 0x4e000000 0x41d9fe3b
-writel 0x4e00000c 0x27022a2d
-clock_step
-readw 0x4e000004
-clock_step
-readb 0x4e000008
-clock_step
-writew 0x4e000000 0x620c5fdf
-EOF
-```"""
-additional = """"""