summary refs log tree commit diff stats
path: root/results/classifier/105/other/1904652
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/105/other/1904652')
-rw-r--r--results/classifier/105/other/190465298
1 files changed, 98 insertions, 0 deletions
diff --git a/results/classifier/105/other/1904652 b/results/classifier/105/other/1904652
new file mode 100644
index 000000000..51f19c25c
--- /dev/null
+++ b/results/classifier/105/other/1904652
@@ -0,0 +1,98 @@
+other: 0.824
+graphic: 0.819
+device: 0.816
+semantic: 0.813
+instruction: 0.804
+assembly: 0.725
+mistranslation: 0.723
+vnc: 0.692
+network: 0.681
+socket: 0.633
+boot: 0.575
+KVM: 0.551
+
+Assertion failure in usb-ohci
+
+Hello,
+
+Using hypervisor fuzzer, hyfuzz, I found an assertion failure through usb-ohci.
+
+A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service.
+
+This was found in version 5.2.0 (master)
+
+--------
+
+```
+
+Program terminated with signal SIGABRT, Aborted.
+
+#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
+51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
+[Current thread is 1 (Thread 0x7f34d0411440 (LWP 9418))]
+gdb-peda$ bt
+#0  0x00007f34c8d4ef47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
+#1  0x00007f34c8d508b1 in __GI_abort () at abort.c:79
+#2  0x000055d3a2081844 in ohci_frame_boundary (opaque=0x55d3a4ecdaf0) at ../hw/usb/hcd-ohci.c:1297
+#3  0x000055d3a25be155 in timerlist_run_timers (timer_list=0x55d3a3fd9840) at ../util/qemu-timer.c:574
+#4  0x000055d3a25beaba in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at ../util/qemu-timer.c:588
+#5  0x000055d3a25beaba in qemu_clock_run_all_timers () at ../util/qemu-timer.c:670
+#6  0x000055d3a25e69a1 in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:531
+#7  0x000055d3a2433972 in qemu_main_loop () at ../softmmu/vl.c:1678
+#8  0x000055d3a1d0969b in main (argc=<optimized out>, argc@entry=0x15, argv=<optimized out>,
+    argv@entry=0x7ffc6de722a8, envp=<optimized out>) at ../softmmu/main.c:50
+#9  0x00007f34c8d31b97 in __libc_start_main (main=
+    0x55d3a1d09690 <main>, argc=0x15, argv=0x7ffc6de722a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc6de72298) at ../csu/libc-start.c:310
+#10 0x000055d3a1d095aa in _start ()
+```
+
+To reproduce the assertion failure, please run the QEMU with the following command line.
+
+```
+[Terminal 1]
+
+$ qemu-system-i386 -m 512 -drive file=./fs.img,index=1,media=disk,format=raw -drive file=./hyfuzz.img,index=0,media=disk,format=raw -drive if=none,id=stick,file=./usbdisk.img,format=raw -device pci-ohci,id=usb -device usb-storage,bus=usb.0,drive=stick
+
+[Terminal 2]
+
+$ ./repro_log ./fs.img ./pci-ohci
+
+```
+
+Please let me know if I can provide any further info.
+-Cheolwoo, Myung (Seoul National University)
+
+
+
+The QEMU project is currently moving its bug tracking to another system.
+For this we need to know which bugs are still valid and which could be
+closed already. Thus we are setting the bug state to "Incomplete" now.
+
+If the bug has already been fixed in the latest upstream version of QEMU,
+then please close this ticket as "Fix released".
+
+If it is not fixed yet and you think that this bug report here is still
+valid, then you have two options:
+
+1) If you already have an account on gitlab.com, please open a new ticket
+for this problem in our new tracker here:
+
+    https://gitlab.com/qemu-project/qemu/-/issues
+
+and then close this ticket here on Launchpad (or let it expire auto-
+matically after 60 days). Please mention the URL of this bug ticket on
+Launchpad in the new ticket on GitLab.
+
+2) If you don't have an account on gitlab.com and don't intend to get
+one, but still would like to keep this ticket opened, then please switch
+the state back to "New" or "Confirmed" within the next 60 days (other-
+wise it will get closed as "Expired"). We will then eventually migrate
+the ticket automatically to the new system (but you won't be the reporter
+of the bug in the new system and thus you won't get notified on changes
+anymore).
+
+Thank you and sorry for the inconvenience.
+
+
+[Expired for QEMU because there has been no activity for 60 days.]
+