summary refs log tree commit diff stats
path: root/results/classifier/108/other/1810956
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/108/other/1810956')
-rw-r--r--results/classifier/108/other/181095632
1 files changed, 32 insertions, 0 deletions
diff --git a/results/classifier/108/other/1810956 b/results/classifier/108/other/1810956
new file mode 100644
index 000000000..f0f39e90d
--- /dev/null
+++ b/results/classifier/108/other/1810956
@@ -0,0 +1,32 @@
+device: 0.761
+boot: 0.693
+graphic: 0.667
+network: 0.537
+socket: 0.478
+files: 0.465
+vnc: 0.441
+semantic: 0.369
+PID: 0.344
+permissions: 0.277
+performance: 0.241
+other: 0.217
+debug: 0.149
+KVM: 0.076
+
+qemu-2.12.1 crashes when running malicious bootloader.
+
+Running specific bootloader on Qemu causes fatal error and 
+hence SIGABRT in /qemu-2.12.1/tcg/tcg.c on line 2684.
+
+Bootloader binary code is included in attachments.
+The code was generated by assembling a valid bootloader, then
+appending random-bytes from file `/dev/urandom` to the binary file.
+
+
+
+This is a bug, obviously, but note that we do not guarantee TCG binary translation to be a security boundary against malicious code. Don't run guest code you don't trust inside TCG without further sandboxing around QEMU. (Much of the code that runs in a TCG configuration is old and unaudited, so there may be lurking bugs. Configurations using KVM are the only ones where we treat guest escapes as security bugs.)
+
+
+I think this bug was fixed in QEMU 3.1 -- I can reproduce the assert on 3.0 but not on 3.1.
+
+