summary refs log tree commit diff stats
path: root/results/classifier/108/permissions/1880539
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/108/permissions/1880539')
-rw-r--r--results/classifier/108/permissions/188053958
1 files changed, 58 insertions, 0 deletions
diff --git a/results/classifier/108/permissions/1880539 b/results/classifier/108/permissions/1880539
new file mode 100644
index 000000000..0551545a1
--- /dev/null
+++ b/results/classifier/108/permissions/1880539
@@ -0,0 +1,58 @@
+permissions: 0.948
+semantic: 0.941
+debug: 0.941
+graphic: 0.935
+performance: 0.929
+device: 0.924
+other: 0.918
+PID: 0.918
+boot: 0.898
+vnc: 0.895
+network: 0.874
+files: 0.873
+socket: 0.858
+KVM: 0.855
+
+I/O write make QXL abort in qxl_set_mode()
+
+libFuzzer found:
+
+qxl-0: guest bug: qxl_add_memslot: guest_start > guest_end 0xffffffffffffffff > 0x3ffffff
+qemu-fuzz-i386: hw/display/qxl.c:1611: void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0' failed.
+==8134== ERROR: libFuzzer: deadly signal
+    #0 0x55fddfcfb3f0 in __sanitizer_print_stack_trace (qemu-fuzz-i386+0xcb13f0)
+    #1 0x55fddfc0a3e1 in fuzzer::PrintStackTrace() (qemu-fuzz-i386+0xbc03e1)
+    #2 0x55fddfbeac6f in fuzzer::Fuzzer::CrashCallback() (qemu-fuzz-i386+0xba0c6f)
+    #3 0x55fddfbeacc3 in fuzzer::Fuzzer::StaticCrashSignalCallback() (qemu-fuzz-i386+0xba0cc3)
+    #4 0x7fd640644c6f  (/lib64/libpthread.so.0+0x12c6f)
+    #5 0x7fd640483e34 in __GI_raise (/lib64/libc.so.6+0x37e34)
+    #6 0x7fd64046e894 in __GI_abort (/lib64/libc.so.6+0x22894)
+    #7 0x7fd64046e768 in __assert_fail_base.cold (/lib64/libc.so.6+0x22768)
+    #8 0x7fd64047c565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
+    #9 0x55fde08afd8b in qxl_set_mode (qemu-fuzz-i386+0x1865d8b)
+    #10 0x55fde08b9602 in ioport_write (qemu-fuzz-i386+0x186f602)
+    #11 0x55fddff170a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7)
+    #12 0x55fddff16c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13)
+    #13 0x55fddff157b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4)
+
+Can be reproduce doing "writeb 0x06 0x23" on QXL I/O (PCI BAR #3).
+
+Command line: 'qemu-system-i386 -display none -M pc -vga qxl'
+
+Here's a qtest reproducer for this:
+cat << EOF | ./i386-softmmu/qemu-system-i386 -M q35,accel=qtest -qtest null -nographic -vga qxl -qtest stdio -nodefaults
+outl 0xcf8 0x80000804
+outb 0xcfc 0xff
+outl 0xcf8 0x80000819
+outl 0xcfc 0x87caff7a
+outb 0x86 0x23
+EOF
+
+
+This is an automated cleanup. This bug report has been moved to QEMU's
+new bug tracker on gitlab.com and thus gets marked as 'invalid' now.
+Please continue with the discussion here:
+
+ https://gitlab.com/qemu-project/qemu/-/issues/232
+
+