summary refs log tree commit diff stats
path: root/results/classifier/108/other/1911075
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/108/other/1911075')
-rw-r--r--results/classifier/108/other/191107597
1 files changed, 97 insertions, 0 deletions
diff --git a/results/classifier/108/other/1911075 b/results/classifier/108/other/1911075
new file mode 100644
index 000000000..e6078bc81
--- /dev/null
+++ b/results/classifier/108/other/1911075
@@ -0,0 +1,97 @@
+other: 0.922
+debug: 0.867
+performance: 0.863
+permissions: 0.862
+device: 0.854
+graphic: 0.851
+vnc: 0.793
+semantic: 0.791
+KVM: 0.760
+boot: 0.749
+files: 0.745
+PID: 0.726
+socket: 0.689
+network: 0.670
+
+[OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
+
+=== Reproducer ===
+while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest
+outl 0xcf8 0x8000fa27
+outl 0xcfc 0x37414537
+outl 0xcf8 0x8000fa01
+outl 0xcfc 0x4606ce74
+writew 0x37000f01 0x215a
+writeq 0x37000100 0xfffaf
+writeq 0x37000115 0xffff373d27004037
+outl 0xcf8 0x8000fa01
+outl 0xcfc 0x4606ce74
+writeq 0x370000ff 0x3700011500
+writeq 0x37000115 0xc41ffffff035a5a
+outl 0xcf8 0x8000ea04
+outb 0xcfc 0x15
+outl 0xcf8 0x8000ea00
+outw 0xcfc 0x5a1f
+writeq 0x37000115 0x100007765746972
+writeq 0x37000115 0xbf00000000000000
+outl 0xcf8 0x8000ea04
+outb 0xcfc 0x15
+outl 0xcf8 0x8000fa46
+outb 0xcfc 0xff
+clock_step
+writeq 0x37000115 0xaf
+writeq 0x37000115 0x6301275541af7415
+writeq 0x37000115 0xafaf5a5a743715
+outb 0x64 0xfe
+EOF
+
+=== Stack Trace ===
+==887446==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe567cae0c (pc 0x7fdd9100819e bp 0x7ffe567cb2b0 sp 0x7ffe567cad40 T887446)
+
+#0 vfprintf
+#1 fprintf
+#2 ahci_mem_write /src/qemu/hw/ide/ahci.c:468:9
+#3 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
+#4 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
+#5 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
+#6 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
+#7 flatview_write /src/qemu/softmmu/physmem.c:2799:14
+#8 address_space_write /src/qemu/softmmu/physmem.c:2891:18
+#9 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
+#10 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
+#11 map_page /src/qemu/hw/ide/ahci.c:249:9
+#12 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
+#13 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
+#14 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
+#15 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
+#16 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
+#17 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
+#18 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
+#19 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
+#20 flatview_write /src/qemu/softmmu/physmem.c:2799:14
+#21 address_space_write /src/qemu/softmmu/physmem.c:2891:18
+#22 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
+#23 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
+#24 map_page /src/qemu/hw/ide/ahci.c:249:9
+#25 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
+#26 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
+#27 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
+#28 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
+... Repeat until we run out of stack
+
+Having a quick look, the problem might be in ahci_cond_start_engines()
+which calls ahci_map_clb_address(), then ahci_map_fis_address() fails
+and we return without calling ahci_unmap_clb_address().
+
+And ahci_port_write(AHCI_PORT_REG_CMD) doesn't check
+ahci_cond_start_engines() return value, calling
+ahci_init_d2h() even if former failed.
+
+
+This is an automated cleanup. This bug report has been moved
+to QEMU's new bug tracker on gitlab.com and thus gets marked
+as 'expired' now. Please continue with the discussion here:
+
+ https://gitlab.com/qemu-project/qemu/-/issues/62
+
+