summary refs log tree commit diff stats
path: root/results/classifier/108/other/1825
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--results/classifier/108/other/182529
-rw-r--r--results/classifier/108/other/1825002196
-rw-r--r--results/classifier/108/other/182531172
-rw-r--r--results/classifier/108/other/1825359202
-rw-r--r--results/classifier/108/other/182545261
5 files changed, 560 insertions, 0 deletions
diff --git a/results/classifier/108/other/1825 b/results/classifier/108/other/1825
new file mode 100644
index 000000000..4728e4eee
--- /dev/null
+++ b/results/classifier/108/other/1825
@@ -0,0 +1,29 @@
+device: 0.751
+graphic: 0.738
+files: 0.708
+semantic: 0.636
+debug: 0.545
+other: 0.450
+performance: 0.449
+PID: 0.418
+network: 0.409
+permissions: 0.362
+vnc: 0.341
+socket: 0.263
+boot: 0.256
+KVM: 0.035
+
+pigz crashes when running in an aarch64 chroot (entered through qemu-binfmt) with qemu 8.1.0-rc*, qemu 8.0.3 is ok
+Description of problem:
+If qemu 8.1.0-rc1, -rc2 or -rc3 is used, pigz crashes.
+```
+# chroot /chroot/aarch64 pigz /tmp/test
+qemu: uncaught target signal 11 (Segmentation fault) - core dumped
+Segmentation fault
+```
+With qemu 8.0.3 on the same chroot enviroment, it works and produces the expected /chroot/aarch64/tmp/test.gz
+Steps to reproduce:
+1. Install an aarch64 chroot environment on x86_64
+2. Try using pigz to compress a file inside the chroot environment using qemu-binfmt
+Additional information:
+Unfortunately `git bisect`-ing the issue isn't easy because many snapshots between 8.0.0 (good) and 8.1.0-rc1 (first known bad) don't compile.
diff --git a/results/classifier/108/other/1825002 b/results/classifier/108/other/1825002
new file mode 100644
index 000000000..75e3dbc1f
--- /dev/null
+++ b/results/classifier/108/other/1825002
@@ -0,0 +1,196 @@
+performance: 0.715
+other: 0.658
+PID: 0.655
+network: 0.654
+files: 0.640
+permissions: 0.638
+debug: 0.632
+device: 0.596
+graphic: 0.563
+socket: 0.557
+semantic: 0.467
+vnc: 0.434
+KVM: 0.398
+boot: 0.379
+
+"qemu: Unexpected FPU mode" since 0c1bbedc10e86ea9366b6af8c5520fafa3266b2f
+
+This happens every time I attempt to chroot into a gentoo-mips image unless I load the executable via ld.so
+
+/home (root)# chroot gentoo-mips32r2el /bin/sh
+qemu: Unexpected FPU mode
+/home (root)# chroot gentoo-mips32r2el /lib/ld-2.19.so /bin/sh
+sh-4.2# exit
+/home (root)# 
+
+I don't know the underlying cause, but keep in mind that we may lie and claim to have an FPU when our CPU doesn't because of kernel emulation that may not be present in the host kernel.  Don't know if that's related.
+
+I get this with various gentoo-mips stage3 tarballs, but not with OpenWRT.  (e.g., https://gentoo.osuosl.org/experimental/mips/stages/mips32r2el/2014)
+
+
+
+# emerge --info app-emulation/qemu
+Portage 2.3.51 (python 3.6.5-final-0, default/linux/amd64/17.0/desktop/plasma, gcc-8.2.0, glibc-2.27-r6, 4.14.96-gentoo x86_64)
+=================================================================
+                         System Settings
+=================================================================
+System uname: Linux-4.14.96-gentoo-x86_64-AMD_Ryzen_7_2700X_Eight-Core_Processor-with-gentoo-2.6
+KiB Mem:    32890732 total,   3480024 free
+KiB Swap:   16777212 total,  10575592 free
+Timestamp of repository gentoo: Thu, 11 Apr 2019 06:00:01 +0000
+Head commit of repository gentoo: 66eaaa28926103e690db0699466a274a17ab1979
+sh bash 4.4_p23-r1
+ld GNU ld (Gentoo 2.30 p5) 2.30.0
+distcc 3.3.2 x86_64-pc-linux-gnu [disabled]
+ccache version 3.3.4 [disabled]
+app-shells/bash:          4.4_p23-r1::gentoo
+dev-java/java-config:     2.2.0-r4::gentoo
+dev-lang/perl:            5.26.2::gentoo
+dev-lang/python:          2.7.15::gentoo, 3.6.5::gentoo
+dev-util/ccache:          3.3.4-r1::gentoo
+dev-util/cmake:           3.9.6::gentoo
+dev-util/pkgconfig:       0.29.2::gentoo
+sys-apps/baselayout:      2.6-r1::gentoo
+sys-apps/openrc:          0.38.3-r1::gentoo
+sys-apps/sandbox:         2.13::gentoo
+sys-devel/autoconf:       2.13-r1::gentoo, 2.64-r1::gentoo, 2.69-r4::gentoo
+sys-devel/automake:       1.11.6-r3::gentoo, 1.13.4-r2::gentoo, 1.15.1-r2::gentoo, 1.16.1-r1::gentoo
+sys-devel/binutils:       2.30-r4::gentoo
+sys-devel/gcc:            4.9.4::gentoo, 5.4.0-r6::gentoo, 6.4.0-r5::gentoo, 7.3.0-r6::gentoo, 8.1.0-r3::gentoo, 8.2.0-r6::gentoo, 8.3.0::gentoo
+sys-devel/gcc-config:     2.0::gentoo
+sys-devel/libtool:        2.4.6-r3::gentoo
+sys-devel/make:           4.2.1-r4::gentoo
+sys-kernel/linux-headers: 4.14-r1::gentoo (virtual/os-headers)
+sys-libs/glibc:           2.27-r6::gentoo
+Repositories:
+
+gentoo
+    location: /usr/portage
+    sync-type: rsync
+    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
+    priority: -1000
+    sync-rsync-verify-jobs: 1
+    sync-rsync-extra-opts: 
+    sync-rsync-verify-metamanifest: yes
+    sync-rsync-verify-max-age: 24
+
+love-local
+    location: /usr/local/portage
+    masters: gentoo
+    priority: 0
+
+chaoslab
+    location: /var/lib/layman/chaoslab
+    masters: gentoo
+    priority: 50
+
+java
+    location: /var/lib/layman/java
+    masters: gentoo
+    priority: 50
+
+steam-overlay
+    location: /var/lib/layman/steam-overlay
+    masters: gentoo
+    priority: 50
+
+zugaina
+    location: /var/lib/layman/zugaina
+    masters: gentoo
+    priority: 50
+
+ACCEPT_KEYWORDS="amd64"
+ACCEPT_LICENSE="* -@EULA"
+CBUILD="x86_64-pc-linux-gnu"
+CFLAGS="-march=native -O2 -ggdb3 -pipe"
+CHOST="x86_64-pc-linux-gnu"
+CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt"
+CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
+CXXFLAGS="-march=native -O2 -ggdb3 -pipe"
+DISTDIR="/mnt/large/distfiles"
+EMERGE_DEFAULT_OPTS="-j3 --load-average=17.5 --with-bdeps=y --autounmask=n"
+ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
+FCFLAGS="-O2 -pipe"
+FEATURES="assume-digests binpkg-logs buildpkg candy cgroup compress-build-logs compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles installsources ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch preserve-libs protect-owned sandbox sfperms split-elog split-log splitdebug strict strict-keepdir unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
+FFLAGS="-O2 -pipe"
+GENTOO_MIRRORS="http://gentoo.mirrors.tds.net/gentoo http://gentoo.mirrors.easynews.com/linux/gentoo/ http://gentoo.osuosl.org/ http://mirrors.rit.edu/gentoo/ http://gentoo.cs.uni.edu/ http://gentoo.osuosl.org/ "
+LANG="en_US.utf8"
+LDFLAGS="-Wl,-O1 -Wl,--as-needed"
+LINGUAS="en en-US en_US"
+MAKEOPTS="-j15 --load-average=17"
+PKGDIR="/mnt/large/packages"
+PORTAGE_COMPRESS="pxz"
+PORTAGE_COMPRESS_FLAGS="-9e"
+PORTAGE_CONFIGROOT="/"
+PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
+PORTAGE_TMPDIR="/tmp"
+USE="X a52 aac aacs acl acpi activities aes aio alsa amd64 amr avx avx2 bcache berkdb bluetooth bluray branding bzip2 cairo cdda cddb cdio cdr celt cli consolekit crypt cups cxx d3d9 dbus declarative designer device-mapper dirac directfb dot dri dts dvd dvdr emboss encode exif f16c fam ffmpeg fftw flac fluidsynth fma3 fontconfig fortran fuse gdbm geolocation gif git glamor go gphoto2 gpm gps graphite graphviz gsm gstreamer gtk hardened hddtemp highlight iconv icu ipv6 jpeg jpeg2k kde kerberos kipi kwallet lame latex lcms ldap libass libcaca libnotify libsamplerate libtirpc lm_sensors lto lvm lz4 lzma lzo mad matroska midi mjpeg mmx mmxext mng mono mp3 mp4 mpeg mtp multicall multilib multitarget musepack natspec ncurses netlink networkmanager nfs nls nptl nsplugin ogg openal openexr opengl openh264 openmp openssl opus osmesa pam pango pcap pch pclmul pcre pdf perl pgo phonon plasma playlist png policykit popcnt postgres postproc ppds pulseaudio python qml qt5 rar raw readline samba sasl savedconfig scanner schroedinger sdl seccomp sensors sid smp snappy speex spell spice sqlite sqlite3 squashfs sse sse2 sse3 sse4_1 sse4_2 sse4a ssh ssl ssse3 startup-notification static-libs subversion svg syslog systemtap taglib tcpd theora threads tiff timidity tools tremor truetype tty-helpers twolame udev udisks unicode upnp-av upower usb usbredir utils v4l vaapi valgrind vcdx vdpau vim-syntax virt-network virtio vlc vorbis vpx webdav webp widgets wxwidgets x264 x265 xattr xcb xcomposite xen xine xml xspice xv xvid xvmc zeroconf zlib" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" CURL_SSL="openssl" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc coreboot emu multiboot qemu xen" INPUT_DEVICES="keyboard mouse joystick evdev wacom vmmouse" KERNEL="linux" L10N="en en-US en_US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="AMDGPU ARM BPF NVPTX Mips X86" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-1" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" QEMU_SOFTMMU_TARGETS="aarch64 arm armeb i386 hppa m68k microblaze microblazeel mips mips64 mips64el mipsel mipsn32 mipsn32el ppc ppc64 ppc64abi32 ppc64le s390x sparc sparc32plus sparc64 x86_64" QEMU_USER_TARGETS="aarch64 arm armeb i386 hppa m68k microblaze microblazeel mips mips64 mips64el mipsel mipsn32 mipsn32el ppc ppc64 ppc64abi32 ppc64le s390x sparc sparc32plus sparc64 x86_64" RUBY_TARGETS="ruby24" USERLAND="GNU" VIDEO_CARDS="radeon radeonsi vesa qxl vmware amdgpu" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
+Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_RSYNC_EXTRA_OPTS
+
+=================================================================
+                        Package Settings
+=================================================================
+
+app-emulation/qemu-3.1.0-r4::gentoo was built with the following:
+USE="aio alsa bzip2 caps curl fdt filecaps gtk jpeg lzo ncurses nfs nls opengl pin-upstream-blobs png pulseaudio python sasl sdl seccomp snappy spice ssh static-user systemtap usb usbredir vde vhost-net virtfs vnc vte xattr xen -accessibility (-capstone) -debug (-glusterfs) -gnutls -infiniband -iscsi -numa -rbd (-selinux) -smartcard (-static) -tci -test -virgl -xfs" ABI_X86="(64)" PYTHON_TARGETS="python2_7 python3_6 -python3_5 (-python3_7)" QEMU_SOFTMMU_TARGETS="aarch64 arm hppa i386 m68k microblaze microblazeel mips mips64 mips64el mipsel ppc ppc64 s390x sparc sparc64 x86_64 -alpha -cris -lm32 -moxie -nios2 -or1k -riscv32 -riscv64 -sh4 -sh4eb -tricore -unicore32 -xtensa -xtensaeb" QEMU_USER_TARGETS="aarch64 arm armeb hppa i386 m68k microblaze microblazeel mips mips64 mips64el mipsel mipsn32 mipsn32el ppc ppc64 ppc64abi32 ppc64le s390x sparc sparc32plus sparc64 x86_64 -aarch64_be -alpha -cris -nios2 -or1k -riscv32 -riscv64 -sh4 -sh4eb -tilegx -xtensa -xtensaeb"
+
+>>> Attempting to run pkg_info() for 'app-emulation/qemu-3.1.0-r4'
+Using:
+  app-emulation/spice-protocol-0.12.14
+  sys-firmware/edk2-ovmf-2017_p20180211
+    USE=binary
+  sys-firmware/ipxe-1.0.0_p20180211
+  sys-firmware/seabios-1.11.0
+    USE=binary
+  sys-firmware/sgabios-0.1_pre8-r1
+
+The check in target_cpu_copy_regs at linux-user/mips/cpu_loop.c:776 Is reading an uninitialized value:
+
+     if ((info->fp_abi > MAX_FP_ABI && info->fp_abi != MIPS_ABI_FP_UNKNOWN)
+        || (info->interp_fp_abi > MAX_FP_ABI &&
+            info->interp_fp_abi != MIPS_ABI_FP_UNKNOWN)) {
+        fprintf(stderr, "qemu: Unexpected FPU mode\n");
+        exit(1);
+    }
+
+info->interp_fp_abi is actually initialized, but by reading a value that isn't.  It was previously 0x601de662 at the above if statement, but when I add this memset to load_elf_binary...
+
+int load_elf_binary(struct linux_binprm *bprm, struct image_info *info)
+{
+    struct image_info interp_info;
+    struct elfhdr elf_ex;
+    char *elf_interpreter = NULL;
+    char *scratch;
+
+    memset(&interp_info, 0xfd, sizeof(interp_info));
+
+... then it is 0xfdfdfdfd.
+
+
+
+In load_elf_binary (linux-user/elfload.c b/linux-user/elfload.c:2644) the entire interp_info struct should be inited, I would call this a CVE.  At a very minimum, init the fp_abi field so we don't use whatever happened to be on the stack for the FPU mode should the ELF header not specify otherwise.
+
+Please send patches to the mailing list for inclusion. QEMU maintainers normally don't take patches from the bug tracker. See https://wiki.qemu.org/Contribute/SubmitAPatch
+
+Actually, this is a better patch.  Let's sanitize struct image_info interp_info.
+
+This is certainly a bug, but it's not a a CVE, ie not a security bug. The entire purpose of the linux-user mode is to run the guest ELF file and let it perform whatever syscalls it likes -- it doesn't need to exploit any kind of bug in the ELF loader to be able to control what the process is doing.
+
+
+Thanks Peter.  I was just reading up on the CVE process and I agree.  Obviously, it's dangerous to use uninitialized values, but that doesn't necessarily make it a vulnerability.
+
+And thank you Thomas for the instructions!
+
+Fix posted on the list:
+https://lists.gnu.org/archive/html/qemu-devel/2019-04/msg04037.html
+
+A fix for this was committed as abcac736c1505254ec3 and will be in the upcoming 4.1 release.
+
+FWIW I am still seeing a similar failure with 5.1.0rc3 (using a "Hello World" like program in Ubuntu 20.04 x86_64 built statically):
+
+$ mipsisa32r6el-linux-gnu-gcc --static -o h h.c
+$ ./qemu-mipsn32el ./h
+qemu: Unexpected FPU mode
+
+big endian also seems to be affected
+
diff --git a/results/classifier/108/other/1825311 b/results/classifier/108/other/1825311
new file mode 100644
index 000000000..fd20bd40b
--- /dev/null
+++ b/results/classifier/108/other/1825311
@@ -0,0 +1,72 @@
+performance: 0.749
+device: 0.732
+graphic: 0.681
+files: 0.673
+network: 0.660
+PID: 0.645
+socket: 0.640
+vnc: 0.606
+permissions: 0.605
+semantic: 0.557
+boot: 0.506
+debug: 0.439
+KVM: 0.415
+other: 0.381
+
+mips_cpu_handle_mmu_fault renders all accessed pages executable
+
+On MIPS, data accesses to pages mapped in the TLB result in mips_cpu_handle_mmu_fault() marking the page unconditionally executable, even if the TLB entry has the XI bit set. Later on, when there is an attempt to execute this page, no exception is generated, even though TLBXI is expected.
+
+I am attaching a reproducer image and script.
+
+Unpatched execution ends like this:
+
+...
+TAP TEST START
+1..2
+not ok 1 NonExecutable::ElfDataIsNotExecutable
+# Assertion failed /home/jermar/Kernkonzept/software/l4/pkg/l4re-core/test/moe/test_nx.cc:103
+# Expected: -(L4_EIPC_LO + l4_ipc_error(tag, l4_utcb())) >= 0
+# Actual: -2003 (Receive timeout)
+# There was no IPC error.
+# Assertion failed /home/jermar/Kernkonzept/software/l4/pkg/l4re-core/test/moe/test_nx.cc:125
+# Expected equality of these values:
+#   pfa
+#     Which is: 360
+#   (l4_addr_t)execute_data
+#     Which is: 17633344
+# The page fault occured at the expected location.
+not ok 2 NonExecutable::StackIsNotExecutable
+# Assertion failed /home/jermar/Kernkonzept/software/l4/pkg/l4re-core/test/moe/test_nx.cc:103
+# Expected: -(L4_EIPC_LO + l4_ipc_error(tag, l4_utcb())) >= 0
+# Actual: -2003 (Receive timeout)
+# There was no IPC error.
+# Assertion failed /home/jermar/Kernkonzept/software/l4/pkg/l4re-core/test/moe/test_nx.cc:144
+# Expected equality of these values:
+#   pfa
+#     Which is: 4358144
+#   stack_func
+#     Which is: 4276000
+# The page fault occured at the expected location.
+TAP TEST FINISHED
+
+
+
+With the proposed patch applied, the execution should end with something like this:
+
+...
+TAP TEST START
+1..2
+ok 1 NonExecutable::ElfDataIsNotExecutable
+ok 2 NonExecutable::StackIsNotExecutable
+TAP TEST FINISHED
+
+
+Patch posted on the list:
+https://lists.gnu.org/archive/html/qemu-devel/2019-04/msg03711.html
+
+Also attaching the 64-bit version of the reproducer.
+
+This bug should be fixed by commit 7353113fa482e697a77 now in QEMU master; it will be in the 4.1 release.
+
+
diff --git a/results/classifier/108/other/1825359 b/results/classifier/108/other/1825359
new file mode 100644
index 000000000..77d5baf29
--- /dev/null
+++ b/results/classifier/108/other/1825359
@@ -0,0 +1,202 @@
+permissions: 0.886
+other: 0.812
+semantic: 0.811
+performance: 0.810
+graphic: 0.809
+vnc: 0.759
+device: 0.753
+files: 0.721
+debug: 0.712
+PID: 0.705
+network: 0.683
+KVM: 0.681
+socket: 0.669
+boot: 0.601
+
+cpu_ld*_code() triggers MMU_DATA_LOAD i.s.o. MMU_INST_FETCH
+
+commit 377b155bde451d5ac545fbdcdfbf6ca17a4228f5
+Merge: c876180938 328eb60dc1
+Author: Peter Maydell <peter.x@x.x>        ; masked for anti-spamming purposes
+Date:   Mon Mar 11 18:26:37 2019 +0000
+https://github.com/qemu/qemu/commit/377b155bde451d5ac545fbdcdfbf6ca17a4228f5
+--------------------------------------------------
+
+cpu_ld*_code() is used for loading code data as the name suggests. Although, it begins
+accessing memory with MMU_INST_FETCH access type, somewhere down the road, when the
+"io_readx(..., access_type=MMU_INST_FETCH, ...)" is called, it is ignoring this "access_type"
+while calling the "tlb_fill()" with a _hardcoded_ MMU_DATA_LOAD:
+
+cputlb.c
+--------
+static uint64_t io_readx(..., MMUAccessType access_type, ...)
+{
+
+    if (recheck) {
+        CPUTLBEntry *entry;
+        target_ulong tlb_addr;
+    
+        tlb_fill(cpu, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr);
+        ...
+}
+--------
+
+This is an issue, because there can exist _small_ regions of memory (smaller than the
+TARGET_PAGE_SIZE) that are only executable and not readable.
+
+TL;DR
+
+What happens is at first, a "tlb_fill(..., access_type=MMU_INST_FETCH, ...)" is
+triggered by "tb_lookup_cpu_state()". To be precise, this is the call stack which is good behavior:
+---
+#0  tlb_fill (cs=..., vaddr=684, size=0, access_type=MMU_INST_FETCH, mmu_idx=0, retaddr=0) at target/arc/mmu.c:602
+#1  get_page_addr_code (env=..., addr=684) at accel/tcg/cputlb.c:1045
+#2  tb_htable_lookup (cpu=..., pc=684, cs_base=0, flags=0, cf_mask=4278190080) at accel/tcg/cpu-exec.c:337
+#3  tb_lookup__cpu_state (cpu=..., pc=..., cs_base=..., flags=..., cf_mask=4278190080) at include/exec/tb-lookup.h:43
+#4  tb_find (cpu=..., last_tb=... <code_gen_buffer+17811>, tb_exit=0, cf_mask=0) at accel/tcg/cpu-exec.c:404
+#5  cpu_exec (cpu=...) at accel/tcg/cpu-exec.c:729
+#6  tcg_cpu_exec (cpu=...) at cpus.c:1430
+#7  qemu_tcg_rr_cpu_thread_fn (arg=...) at cpus.c:1531
+#8  qemu_thread_start (args=...) at util/qemu-thread-posix.c:502
+---
+
+After this call, TLB is filled with an entry that its size field is small, say 32 bytes.
+This causes a TLB_RECHECK for consequent memory accesses, which is logical. However,
+in our decoder, we use cpu_lduw_code() to read the instructions and decode them. As mentioned,
+in the beginning, the access_type=MMU_INST_FETCH is lost in "io_readx()" while calling "tlb_fill()",
+and now THIS CAUSES A GUEST EXCEPTION BECAUSE THAT REGION IS NOT ALLOWED TO BE READ. Here,
+comes that trace call of the _bad_ behavior:
+---
+#0  tlb_fill (..., access_type=MMU_DATA_LOAD, ...) at target/arc/mmu.c:605
+#1  io_readx (..., access_type=MMU_INST_FETCH, size=2) at accel/tcg/cputlb.c:881
+#2  io_readw (..., access_type=MMU_INST_FETCH) at accel/tcg/softmmu_template.h:106
+#3  helper_le_ldw_cmmu (..., oi=16, retaddr=0) at accel/tcg/softmmu_template.h:146
+#4  cpu_lduw_code_ra (env=..., ptr=684, retaddr=0) at include/exec/cpu_ldst_template.h:102
+#5  cpu_lduw_code (env=..., ptr=684) at include/exec/cpu_ldst_template.h:114
+#6  read_and_decode_context (ctx=..., opcode_p=...) at target/arc/arc-decoder.c:1479
+#7  arc_decode (ctx=...) at target/arc/arc-decoder.c:1736              
+#8  decode_opc (env=..., ctx=...) at target/arc/translate.c:313
+#9  arc_tr_translate_insn (dcbase=..., cpu=...) at target/arc/translate.c:335
+#10 translator_loop (.. <code_gen_buffer+18131>) at accel/tcg/translator.c:107
+#11 gen_intermediate_code (cpu=..., tb=... <code_gen_buffer+18131>) at target/arc/translate.c:413
+#12 tb_gen_code (cpu=..., pc=684, cs_base=0, flags=0, cflags=-16711679) at accel/tcg/translate-all.c:1723
+#13 tb_find (cpu=..., last_tb=... <code_gen_buffer+17811>, tb_exit=0, cf_mask=0) at accel/tcg/cpu-exec.c:407
+#14 cpu_exec (cpu=...) at accel/tcg/cpu-exec.c:729                     
+#15 tcg_cpu_exec (cpu=...) at cpus.c:1430
+
+---
+
+Do you confirm if this is an issue? Maybe there are other ways to read an instruction with
+MMU_INST_FETCH access that I don't know about.
+
+Last but not least, although this is not a security issue for QEMU per se, but it is hindering a
+security feature for the guest.
+
+Yeah, this looks like a bug -- we should pass the access_type through rather than using MMU_DATA_LOAD.
+
+
+Should I make a patch then?
+
+
+
+
+
+
+The patch looks OK code-wise, but could you submit it to the mailing list, please?
+https://wiki.qemu.org/Contribute/SubmitAPatch has the details, but the most important part is that it needs a Signed-off-by: line from you that says you have the legal right and are willing to contribute it to QEMU under our license. Otherwise we can't use the patch.
+
+
+I have to say, after applying this patch, my test still fails while fetching the instructions from this _small_ region. Although there is no MMU_DATA_LOAD anymore, a few iterations later (while guest code has just jumped to the beginning of the executable region), QEmu segfaults (call stack is attached):
+
+memory.c
+--------
+static MemTxResult
+memory_region_read_with_attrs_accessor(MemoryRegion *mr,
+                                       ...)
+{
+    uint64_t tmp = 0;
+    MemTxResult r;
+
+    r = mr->ops->read_with_attrs(mr->opaque, addr, &tmp, size, attrs);
+    ...
+}
+--------
+
+Here, "read_with_attrs" is null. The call stack looks like:
+---
+#0  memory_region_read_with_attrs_accessor at memory.c:465
+#1  access_with_adjusted_size at memory.c:568
+#2  memory_region_dispatch_read1 at memory.c:1425
+#3  memory_region_dispatch_read at memory.c:1446
+#4  io_readx at accel/tcg/cputlb.c:909
+#5  io_readw at accel/tcg/softmmu_template.h:106
+#6  helper_le_ldw_cmmu at accel/tcg/softmmu_template.h:146
+#7  cpu_lduw_code_ra at include/exec/cpu_ldst_template.h:102
+#8  cpu_lduw_code at include/exec/cpu_ldst_template.h:114
+#9  read_and_decode_context at target/arc/arc-decoder.c:1479
+#10 arc_decode at target/arc/arc-decoder.c:1736
+#11 decode_opc at target/arc/translate.c:313
+#12 arc_tr_translate_insn at target/arc/translate.c:335
+#13 translator_loop at accel/tcg/translator.c:107
+#14 gen_intermediate_code at target/arc/translate.c:413
+#15 tb_gen_code at accel/tcg/translate-all.c:1723
+#16 tb_find at accel/tcg/cpu-exec.c:407
+#17 cpu_exec at accel/tcg/cpu-exec.c:729
+#18 tcg_cpu_exec at cpus.c:1430
+---
+more detailed call stack is attached.
+
+call stack for SEGFAULT that happens during the execution of small region. This will go away IF THE ENTRY ADDED TO TLB FOR THIS REGION IS OF SIZE TARGET_PAGE_SIZE. However, that would not be correct behavior.
+
+That should not happen unless you have some device that is incorrectly not providing a suitable read function in its MemoryRegionOps. If you look at 'mr' in the debugger you should be able to figure out which device is the problem.
+
+
+The problem seems to be this piece of code:
+
+cputlb.c
+--------
+static uint64_t io_readx(...)
+{
+
+    if (recheck) {
+        ...
+
+        tlb_fill(cpu, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr);
+
+        entry = tlb_entry(env, mmu_idx, addr);
+        tlb_addr = entry->addr_read;
+        ...
+}
+--------
+
+"entry->addr_read" is indeed looking for a "reading address". in this case, it must look for an
+"executing address", i.e. "entry->addr_code".
+
+I see softmmu_template.h does something like this:
+----
+...
+#ifdef SOFTMMU_CODE_ACCESS
+#define READ_ACCESS_TYPE MMU_INST_FETCH
+#define ADDR_READ addr_code
+#else
+#define READ_ACCESS_TYPE MMU_DATA_LOAD
+#define ADDR_READ addr_read
+#endif
+...
+
+WORD_TYPE helper_le_ld_name(...)
+{
+    ...
+    target_ulong tlb_addr = entry->ADDR_READ;
+    ...
+}
+----
+
+This patch has fixed for me both issues. Although I am not very proud of the changes in the second hunk. Please let me know if there is a better way.
+
+
+Your patch is now in git master as commit ef5dae6805cce7b59d129 -- thanks!
+
+
+Thank YOU for all the supports along the way :)
+
diff --git a/results/classifier/108/other/1825452 b/results/classifier/108/other/1825452
new file mode 100644
index 000000000..6fa442414
--- /dev/null
+++ b/results/classifier/108/other/1825452
@@ -0,0 +1,61 @@
+other: 0.951
+PID: 0.921
+permissions: 0.915
+network: 0.865
+files: 0.856
+debug: 0.845
+vnc: 0.825
+semantic: 0.816
+device: 0.815
+graphic: 0.809
+performance: 0.735
+socket: 0.732
+boot: 0.684
+KVM: 0.377
+
+Pulse audio backend doesn't work in  v4.0.0-rc4 release
+
+Using Gentoo linux, build from source: qemu v4.0.0-rc4 release (eeba63fc7fface36f438bcbc0d3b02e7dcb59983)
+
+Pulse audio backend doesn't initialize because of the:
+audio/paaudio.c:
+-    if (!popts->has_server) {
+-        char pidfile[64];
+-        char *runtime;
+-        struct stat st;
+-
+-        runtime = getenv("XDG_RUNTIME_DIR");
+-        if (!runtime) {
+-            return NULL;
+-        }
+-        snprintf(pidfile, sizeof(pidfile), "%s/pulse/pid", runtime);
+-        if (stat(pidfile, &st) != 0) {
+-            return NULL;
+-        }
+-    }
+XDG_RUNTIME_DIR is not set for me. There is no /run/user directory exist in my system.
+
+Also:
+$ less ~/.pulse/client.conf  
+default-server = unix:/home/ivan/.pulse_server
+
+Removing this lines makes pa backend work fine again. Much better than 3.x versions due to buffer fixes.
+
+It looks like this code relies on the systemd specifics and doesn't work with OpenRC used in Gentoo by default. Still not fixed in 4.0.0 release.
+
+You can use -audiodev pa,id=whatever,server=unix:/home/ivan/.pulse_server to get things going with your configuration.
+
+Oh, and this has nothing to do with systemd:
+
+kraxel@gentoo ~ $ set | grep ^XDG
+XDG_CONFIG_DIRS=/etc/xdg
+XDG_DATA_DIRS=/usr/local/share:/usr/share
+XDG_RUNTIME_DIR=/var/run/user/1000
+XDG_SESSION_COOKIE=gentoo-1556780854.41316-799155214
+
+(gentoo with openrc + xfce, serial console login, x11 login has a few more of these set).
+
+Looking through old bug tickets... is this still an issue with the latest version of QEMU? Or could we close this ticket nowadays?
+
+[Expired for QEMU because there has been no activity for 60 days.]
+