summary refs log tree commit diff stats
path: root/results/classifier/105/other/1815
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/105/other/1815')
-rw-r--r--results/classifier/105/other/181595
1 files changed, 95 insertions, 0 deletions
diff --git a/results/classifier/105/other/1815 b/results/classifier/105/other/1815
new file mode 100644
index 000000000..c63c80344
--- /dev/null
+++ b/results/classifier/105/other/1815
@@ -0,0 +1,95 @@
+other: 0.872
+semantic: 0.829
+graphic: 0.828
+device: 0.806
+instruction: 0.786
+assembly: 0.757
+mistranslation: 0.749
+KVM: 0.744
+socket: 0.720
+network: 0.695
+vnc: 0.689
+boot: 0.665
+
+Null pointer access in nvme_directive_receive()
+Description of problem:
+Got an access within null pointer error when fuzzing nvme.
+Steps to reproduce:
+Minimized reproducer for the error:
+
+```plaintext
+cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -machine q35 \
+-nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 -device \
+nvme,drive=disk0,serial=1 -qtest /dev/null -qtest stdio
+outl 0xcf8 0x80000810
+outl 0xcfc 0xe0000000
+outl 0xcf8 0x80000804
+outw 0xcfc 0x06
+write 0xe0000024 0x4 0x040002
+write 0xe0000014 0x4 0x61004600
+write 0xe0001000 0x1 0x04
+write 0x0 0x1 0x1a
+write 0x4 0x1 0x01
+write 0x2c 0x1 0x01
+EOF
+```
+Additional information:
+The crash report triggered by the reproducer is:
+
+```plaintext
+[I 0.000000] OPENED
+[R +0.025407] outl 0xcf8 0x80000810
+[S +0.025443] OK
+OK
+[R +0.025456] outl 0xcfc 0xe0000000
+[S +0.025470] OK
+OK
+[R +0.025476] outl 0xcf8 0x80000804
+[S +0.025483] OK
+OK
+[R +0.025489] outw 0xcfc 0x06
+[S +0.025934] OK
+OK
+[R +0.025946] write 0xe0000024 0x4 0x040002
+[S +0.025958] OK
+OK
+[R +0.025964] write 0xe0000014 0x4 0x61004600
+[S +0.025988] OK
+OK
+[R +0.026025] write 0xe0001000 0x1 0x04
+[S +0.026041] OK
+OK
+[R +0.026048] write 0x0 0x1 0x1a
+[S +0.026256] OK
+OK
+[R +0.026268] write 0x4 0x1 0x01
+[S +0.026279] OK
+OK
+[R +0.026292] write 0x2c 0x1 0x01
+[S +0.026303] OK
+OK
+../hw/nvme/ctrl.c:6890:29: runtime error: member access within null pointer of type 'NvmeEnduranceGroup' (aka 'struct NvmeEnduranceGroup')
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/nvme/ctrl.c:6890:29 in
+AddressSanitizer:DEADLYSIGNAL
+=================================================================
+==1085476==ERROR: AddressSanitizer: SEGV on unknown address 0x000000001fc8 (pc 0x56306b765ebf bp 0x7ffff17fd890 sp 0x7ffff17f6a00 T0)
+==1085476==The signal is caused by a READ memory access.
+    #0 0x56306b765ebf in nvme_directive_receive ../hw/nvme/ctrl.c:6890:33
+    #1 0x56306b765ebf in nvme_admin_cmd ../hw/nvme/ctrl.c:6958:16
+    #2 0x56306b765ebf in nvme_process_sq ../hw/nvme/ctrl.c:7015:13
+    #3 0x56306cda2c3b in aio_bh_call ../util/async.c:169:5
+    #4 0x56306cda3384 in aio_bh_poll ../util/async.c:216:13
+    #5 0x56306cd3f15b in aio_dispatch ../util/aio-posix.c:423:5
+    #6 0x56306cda72da in aio_ctx_dispatch ../util/async.c:358:5
+    #7 0x7fa321cc417c in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5217c) (BuildId: 5fdb313daf182a33a858ba2cc945211b11d34561)
+    #8 0x56306cda840f in glib_pollfds_poll ../util/main-loop.c:290:9
+    #9 0x56306cda840f in os_host_main_loop_wait ../util/main-loop.c:313:5
+    #10 0x56306cda840f in main_loop_wait ../util/main-loop.c:592:11
+    #11 0x56306bd17f76 in qemu_main_loop ../softmmu/runstate.c:732:9
+    #12 0x56306c721835 in qemu_default_main ../softmmu/main.c:37:14
+    #13 0x7fa320aeb082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
+    #14 0x56306af0309d in _start (./qemu-system-x86_64+0x1e9109d)
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV ../hw/nvme/ctrl.c:6890:33 in nvme_directive_receive
+```