summary refs log tree commit diff stats
path: root/results/classifier/105/instruction/1860920
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/105/instruction/1860920')
-rw-r--r--results/classifier/105/instruction/186092051
1 files changed, 51 insertions, 0 deletions
diff --git a/results/classifier/105/instruction/1860920 b/results/classifier/105/instruction/1860920
new file mode 100644
index 000000000..d294da2a2
--- /dev/null
+++ b/results/classifier/105/instruction/1860920
@@ -0,0 +1,51 @@
+instruction: 0.831
+mistranslation: 0.736
+device: 0.697
+semantic: 0.681
+network: 0.592
+other: 0.580
+socket: 0.500
+boot: 0.497
+graphic: 0.362
+vnc: 0.311
+assembly: 0.160
+KVM: 0.126
+
+qemu-s390x-softmmu: crash 
+
+Trying to compile and use rust programs on an s390x emulated machine, crash in qemu/target/s390x/translate.c line 3894
+
+Steps to reproduce: 
+on a amd64 PC, installed debian on s390x emulated by qemu, seems to work fine (installed some packages, etc.)
+installed rust cargo (both from rustup and from debian)
+cargo install anything makes *qemu* crash when beginning to compile
+
+Technical details:
+* host: amd64 Linux
+* qemu v4.2.0 (recompiled from git with debug options using configure --target-list=s390x-softmmu --enable-debug) (problem appears also with older versions of qemu from git, with default compilation options, with qemu from debian, etc.)
+* compiled with gcc 9.2
+* command line, relevant part: qemu-system-s390x -snapshot -machine s390-ccw-virtio -cpu max,zpci=on -serial mon:stdio -display none -m 512
+(tested with -smp 4  -m 4096 as well and without snapshotting)
+* command line, less relevant part: -drive file=./debian.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none    -device virtio-blk-ccw,devno=fe.0.0001,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1,scsi=off    -netdev user,id=mynet0,hostfwd=tcp::2223-:22 -device virtio-net-pci,netdev=mynet0 
+* core dump: abort in qemu/target/s390x/translate.c line 3894 ; s->field: op has value 0xEC and op2 has value 0x54
+(more info available if needed)
+
+Tried to patch source to add 0x54 case to no avail. 
+Tried other cpu variants to no avail as well. 
+
+Reporting this in security as well since it also looks very much like a DoS (albeit somewhat minor), feel free to tell me to report the bug somewhere else.
+
+There is definitely something wrong here ;-) According to the "Principles of Operations" ISA document, opcode 0xEC54 is the RNSBG instruction (ROTATE THEN AND SELECTED BITS). But op_rosbg() apparently currently handles 0xEC55, 0xEC56 and 0xEC57. 0xEC55 seems wrong there, since this opcode should be handled by op_risbg() instead (according to target/s390x/insn-data.def). So the "case 0x55" seems to be a typo. Does it work if you replace "case 0x55" with "case 0x54" ?
+
+Suggested patch:
+https://lists.gnu.org/archive/html/qemu-devel/2020-01/msg07514.html
+"target/s390x/translate: Fix RNSBG instruction"
+
+Sorry for delay in answering, replacing 0x55 by 0x54 works fine for me. 
+
+Thanks. 
+
+
+Fixed here:
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=0bab189c96c7
+