1 files changed, 126 insertions, 0 deletions

diff --git a/results/classifier/118/all/1878134 b/results/classifier/118/all/1878134
new file mode 100644
index 000000000..46d1a1881
--- /dev/null
+++ b/results/classifier/118/all/1878134
@@ -0,0 +1,126 @@
+device: 0.969
+debug: 0.948
+arm: 0.946
+architecture: 0.943
+assembly: 0.942
+user-level: 0.939
+mistranslation: 0.935
+permissions: 0.935
+files: 0.932
+semantic: 0.930
+register: 0.926
+peripherals: 0.923
+i386: 0.922
+network: 0.921
+graphic: 0.920
+risc-v: 0.916
+PID: 0.915
+performance: 0.907
+virtual: 0.907
+vnc: 0.898
+socket: 0.894
+hypervisor: 0.885
+boot: 0.880
+ppc: 0.868
+kernel: 0.860
+VMM: 0.836
+x86: 0.821
+KVM: 0.818
+TCG: 0.815
+
+Assertion failures in ati_reg_read_offs/ati_reg_write_offs
+
+Hello,
+While fuzzing, I found inputs that trigger assertion failures in
+ati_reg_read_offs/ati_reg_write_offs
+
+uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 && length > 0 && length <= 32 - start' failed
+
+#3  0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556e760c0 <str> "start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> "/home/alxndr/Development/qemu/include/qemu/bitops.h", line=0x12c, function=0x555556e76180 <__PRETTY_FUNCTION__.extract32> "uint32_t extract32(uint32_t, int, int)") at assert.c:101
+#4  0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/Development/qemu/include/qemu/log-for-trace.h:29
+#5  0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/Development/qemu/hw/display/ati.c:289
+#6  0x000055555601446e in memory_region_read_accessor (mr=0x63100004dc20, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:434
+#7  0x0000555556001a70 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x63100004dc20, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
+#8  0x0000555556001a70 in memory_region_dispatch_read1 (mr=0x63100004dc20, addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at /home/alxndr/Development/qemu/memory.c:1396
+
+
+I can reproduce it in qemu 5.0 built with using:
+cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
+outl 0xcf8 0x80001018
+outl 0xcfc 0xe2000000
+outl 0xcf8 0x8000101c
+outl 0xcf8 0x80001004
+outw 0xcfc 0x7
+outl 0xcf8 0x8000fa20
+write 0xe2000004 0x1 0x1a
+readq 0xe2000000
+EOF
+
+Similarly for ati_reg_write_offs:
+cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
+outl 0xcf8 0x80001018
+outl 0xcfc 0xe2000000
+outl 0xcf8 0x8000101c
+outl 0xcf8 0x80001004
+outw 0xcfc 0x7
+outl 0xcf8 0x8000fa20
+write 0xe2000000 0x8 0x6a00000000006a00
+EOF
+
+I also attached the traces to this launchpad report, in case the formatting is broken:
+
+qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none < attachment
+
+Please let me know if I can provide any further info.
+-Alex
+
+
+
+
+
+Hello,
+Please disregard this - I submitted it to the wrong launchpad site
+
+Hello Alexander,
+
+I believe your fuzz test result was meant to the upstream project so I moved it.
+
+o/
+
+On Fri, 15 May 2020, Launchpad Bug Tracker wrote:
+> You have been subscribed to a public bug by Philippe Mathieu-Daudé (philmd):
+>
+> Hello,
+> While fuzzing, I found inputs that trigger assertion failures in
+> ati_reg_read_offs/ati_reg_write_offs
+>
+> uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 && length
+>> 0 && length <= 32 - start' failed
+>
+> #3  0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556e760c0 <str> "start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> "/home/alxndr/Development/qemu/include/qemu/bitops.h", line=0x12c, function=0x555556e76180 <__PRETTY_FUNCTION__.extract32> "uint32_t extract32(uint32_t, int, int)") at assert.c:101
+> #4  0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/Development/qemu/include/qemu/log-for-trace.h:29
+> #5  0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/Development/qemu/hw/display/ati.c:289
+> #6  0x000055555601446e in memory_region_read_accessor (mr=0x63100004dc20, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:434
+> #7  0x0000555556001a70 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x63100004dc20, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
+> #8  0x0000555556001a70 in memory_region_dispatch_read1 (mr=0x63100004dc20, addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at /home/alxndr/Development/qemu/memory.c:1396
+
+Here's a stack trace with --enable debug which is more useful:
+
+#4  0x0000555555b39464 in extract32 (value=0, start=16, length=32) at /home/balaton/src/qemu/include/qemu/bitops.h:300
+#5  0x0000555555b3a45f in ati_reg_read_offs (reg=0, offs=2, size=4) at hw/display/ati.c:269
+#6  0x0000555555b3a9f1 in ati_mm_read (opaque=0x555556f35610, addr=26, size=4) at hw/display/ati.c:299
+#7  0x0000555555b3a988 in ati_mm_read (opaque=0x555556f35610, addr=4, size=4) at hw/display/ati.c:290
+
+It's trying to do an indexed read via MM_DATA reg of the middle of reg 
+0x18 BIOS_2_SCRATCH which ends up calling ati_reg_read_offs with out of 
+bound values. Maybe we should clamp size somewhere.
+
+Regards,
+BALATON Zoltan
+
+Sent patch that should fix this:
+https://<email address hidden>/
+
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=b0588cb51da698671
+