summary refs log tree commit diff stats
path: root/results/classifier/105/other/1907497
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/105/other/1907497')
-rw-r--r--results/classifier/105/other/190749795
1 files changed, 95 insertions, 0 deletions
diff --git a/results/classifier/105/other/1907497 b/results/classifier/105/other/1907497
new file mode 100644
index 000000000..ce539d657
--- /dev/null
+++ b/results/classifier/105/other/1907497
@@ -0,0 +1,95 @@
+other: 0.893
+KVM: 0.860
+mistranslation: 0.849
+device: 0.833
+instruction: 0.812
+graphic: 0.790
+assembly: 0.790
+vnc: 0.757
+boot: 0.747
+socket: 0.739
+semantic: 0.731
+network: 0.704
+
+[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
+
+ affects qemu
+
+=== Reproducer (build with --enable-sanitizers) ===
+
+cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
+-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
+-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
+-qtest stdio
+outl 0xcf8 0x80000804
+outw 0xcfc 0xffff
+write 0x0 0x1 0x12
+write 0x2 0x1 0x2f
+outl 0xcf8 0x80000811
+outl 0xcfc 0x5a6a4406
+write 0x6a44005a 0x1 0x11
+write 0x6a44005c 0x1 0x3f
+write 0x6a442050 0x4 0x0000446a
+write 0x6a44204a 0x1 0xf3
+write 0x6a44204c 0x1 0xff
+writeq 0x6a44005a 0x17b3f0011
+write 0x6a442050 0x4 0x0000446a
+write 0x6a44204a 0x1 0xf3
+write 0x6a44204c 0x1 0xff
+EOF
+
+=== Stack Trace ===
+==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
+    #0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
+    #1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
+    #2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
+    #3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
+    #4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
+    #5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
+    #6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
+    #7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
+    #8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
+    #9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
+    #10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
+    #11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
+    #12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
+    #13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
+    #14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
+    #15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
+    #16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
+    #17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
+    #18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
+    #19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
+    #20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
+    #21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
+    #22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
+    #23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
+    #24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
+...
+
+OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28435
+
+
+
+I think this [0] commit actually fixes this bug, can someone please confirm it?
+
+[0] https://github.com/qemu/qemu/commit/1bf8b88f144bee747e386c88d45d772e066bbb36
+
+No, I can still reproduce this issue with current version from the git repo (commit 8f521741e1280f0957ac1) ... when I compile QEMU with Clang and --enable-sanitizers, the reproducer still crashes with "ERROR: AddressSanitizer: stack-overflow"
+
+Just FYI, this issue was assigned CVE-2021-3611 by Red Hat.
+
+@Thomas, could you try by compiling qemu with a commit close to the timeframe mentioned here [0]?
+
+[0] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28435#c2
+
+@Gianluca: The problem still reproduces with the current master branch (commit 13d5f87cc3b94bfccc5), so the problem is definitely not fixed yet. So no, I certainly won't waste my time trying it on older versions.
+
+I moved this report over to QEMU's new bug tracker on gitlab.com.
+Please continue with the discussion here:
+
+https://gitlab.com/qemu-project/qemu/-/issues/542
+
+Thanks for moving it over! ... let's close this one here on Launchpad now.
+
+