diff options
Diffstat (limited to 'results/classifier/118/all/1880189')
| -rw-r--r-- | results/classifier/118/all/1880189 | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/results/classifier/118/all/1880189 b/results/classifier/118/all/1880189 new file mode 100644 index 000000000..734c867fd --- /dev/null +++ b/results/classifier/118/all/1880189 @@ -0,0 +1,142 @@ +user-level: 0.939 +register: 0.939 +permissions: 0.922 +files: 0.922 +debug: 0.922 +vnc: 0.921 +risc-v: 0.920 +device: 0.920 +KVM: 0.917 +i386: 0.917 +virtual: 0.914 +assembly: 0.914 +performance: 0.913 +mistranslation: 0.912 +semantic: 0.912 +architecture: 0.912 +boot: 0.911 +graphic: 0.909 +ppc: 0.909 +arm: 0.906 +network: 0.904 +TCG: 0.904 +peripherals: 0.899 +socket: 0.895 +VMM: 0.895 +PID: 0.889 +kernel: 0.885 +hypervisor: 0.879 +x86: 0.863 + +I/O writes make cirrus_invalidate_region() crash + +As of commit d19f1ab0, LLVM libFuzzer found: + +qemu-fuzz-i386: hw/display/cirrus_vga.c:646: void cirrus_invalidate_region(CirrusVGAState *, int, int, int, int): Assertion `off_cur_end >= off_cur' failed. +==1336555== ERROR: libFuzzer: deadly signal + #0 0xaaaaaf943ce4 in __sanitizer_print_stack_trace + #1 0xaaaaaf899474 in fuzzer::PrintStackTrace() + #2 0xaaaaaf884c80 in fuzzer::Fuzzer::CrashCallback() + #3 0xffff9b4e8568 (linux-vdso.so.1+0x568) + #4 0xffff99ac406c in __libc_signal_restore_set /build/glibc-w4ZToO/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3 + #5 0xffff99ac406c in raise /build/glibc-w4ZToO/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3 + #6 0xffff99ab0d64 in abort /build/glibc-w4ZToO/glibc-2.31/stdlib/abort.c:79:7 + #7 0xffff99abd5d8 in __assert_fail_base /build/glibc-w4ZToO/glibc-2.31/assert/assert.c:92:3 + #8 0xffff99abd640 in __assert_fail /build/glibc-w4ZToO/glibc-2.31/assert/assert.c:101:3 + #9 0xaaaab040768c in cirrus_invalidate_region + #10 0xaaaab0405404 in cirrus_bitblt_solidfill + #11 0xaaaab0402a88 in cirrus_bitblt_start + #12 0xaaaab04046a8 in cirrus_write_bitblt + #13 0xaaaab0400db4 in cirrus_vga_write_gr + #14 0xaaaab03fd33c in cirrus_vga_ioport_write + #15 0xaaaaafb41674 in memory_region_write_accessor + #16 0xaaaaafb411ec in access_with_adjusted_size + #17 0xaaaaafb40180 in memory_region_dispatch_write + #18 0xaaaaaf995dfc in flatview_write_continue + #19 0xaaaaaf985bd8 in flatview_write + #20 0xaaaaaf98574c in address_space_write + #21 0xaaaab110510c in ioport_fuzz_qtest + #22 0xaaaab1103a48 in i440fx_fuzz_qtest + #23 0xaaaab11010d8 in LLVMFuzzerTestOneInput + +Reproducer: + +qemu-system-i386 -M isapc,accel=qtest -vga cirrus -qtest stdio << 'EOF' +outl 0x03b1 0x2fdc1001 +outb 0x03cc 0xe +outb 0x03cc 0xe +outb 0x03cc 0x2f +outb 0x03cc 0xe +outb 0x03cc 0x2f +outb 0x03cc 0xe +outl 0x03cc 0xedc100e +outb 0x03cc 0x2f +outl 0x03cc 0xe24f40e +outl 0x03cc 0x2f23dc12 +outl 0x03cc 0xe23f40e +outl 0x03cc 0xe31dc12 +outb 0x03cc 0x2f +outl 0x03cc 0xe2af40e +outl 0x03cc 0x2f235612 +outl 0x03cc 0xe23f40e +outl 0x03cc 0xe31dc12 +outb 0x03cc 0x2f +outl 0x03cc 0x2fdcf40e +outb 0x03cc 0xe +outl 0x03cc 0xedc100e +outb 0x03cc 0x2f +outl 0x03cc 0xe24f40e +outl 0x03cc 0xe23dc12 +outb 0x03cc 0x2f +outl 0x03cc 0xedc100e +outl 0x03cc 0x2fdc400e +outb 0x03cc 0xe +outl 0x03cc 0xe130100e +outb 0x03cc 0x2f +outl 0x03cc 0xe23f40e +outl 0x03cc 0xe31dc12 +outb 0x03cc 0x2f +outl 0x03cc 0xe33f40e +outl 0x03cc 0xdc235612 +outb 0x03cc 0xe +outl 0x03cc 0x2fdc400e +outb 0x03cc 0xe +outl 0x03cc 0xfb24100e +outb 0x03cc 0x2f +outl 0x03cc 0xdc10dc0e +outl 0x03cc 0x2f31dc12 +outl 0x03cc 0xe23f40e +outl 0x03cc 0xe31dc12 +outb 0x03cc 0x2f +outl 0x03cc 0xe23f40e +outl 0x03cc 0xe31dc12 +outb 0x03cc 0x2f +outl 0x03cc 0x1021f40e +EOF +qemu-system-i386: hw/display/cirrus_vga.c:645: cirrus_invalidate_region: Assertion `off_cur_end >= off_cur' failed. +Aborted (core dumped) + +(gdb) bt +#0 0x00007f1d019fee35 in raise () at /lib64/libc.so.6 +#1 0x00007f1d019e9895 in abort () at /lib64/libc.so.6 +#2 0x00007f1d019e9769 in _nl_load_domain.cold () at /lib64/libc.so.6 +#3 0x00007f1d019f7566 in annobin_assert.c_end () at /lib64/libc.so.6 +#4 0x00005645cb447a37 in cirrus_invalidate_region (s=0x5645cd237540, off_begin=2097204, off_pitch=251, bytesperline=1, lines=7169) at hw/display/cirrus_vga.c:645 +#5 0x00005645cb447cc8 in cirrus_bitblt_solidfill (s=0x5645cd237540, blt_rop=0) at hw/display/cirrus_vga.c:704 +#6 0x00005645cb448886 in cirrus_bitblt_start (s=0x5645cd237540) at hw/display/cirrus_vga.c:1005 +#7 0x00005645cb448dd1 in cirrus_write_bitblt (s=0x5645cd237540, reg_value=47) at hw/display/cirrus_vga.c:1090 +#8 0x00005645cb449b02 in cirrus_vga_write_gr (s=0x5645cd237540, reg_index=49, reg_value=47) at hw/display/cirrus_vga.c:1593 +#9 0x00005645cb44bb2f in cirrus_vga_ioport_write (opaque=0x5645cd237540, addr=975, val=47, size=1) at hw/display/cirrus_vga.c:2686 +#10 0x00005645cb1e0d6e in memory_region_write_accessor (mr=0x5645cd247f10, addr=31, value=0x7fff178d6c18, size=1, shift=24, mask=255, attrs=...) at memory.c:483 +#11 0x00005645cb1e0f7f in access_with_adjusted_size (addr=28, value=0x7fff178d6c18, size=4, access_size_min=1, access_size_max=1, access_fn= + 0x5645cb1e0c8b <memory_region_write_accessor>, mr=0x5645cd247f10, attrs=...) at memory.c:544 +#12 0x00005645cb1e3e9d in memory_region_dispatch_write (mr=0x5645cd247f10, addr=28, data=791796754, op=MO_32, attrs=...) at memory.c:1476 +#13 0x00005645cb1845e5 in flatview_write_continue (fv=0x5645cd65e510, addr=972, attrs=..., ptr=0x7fff178d6da4, len=4, addr1=28, l=4, mr=0x5645cd247f10) at exec.c:3137 +#14 0x00005645cb18472a in flatview_write (fv=0x5645cd65e510, addr=972, attrs=..., buf=0x7fff178d6da4, len=4) at exec.c:3177 +#15 0x00005645cb184a7d in address_space_write (as=0x5645cbd7bb20 <address_space_io>, addr=972, attrs=..., buf=0x7fff178d6da4, len=4) at exec.c:3268 +#16 0x00005645cb1db385 in cpu_outl (addr=972, val=791796754) at ioport.c:80 + +Making this bug public as secalert@ said "if an unprivileged guest user can not trigger it, it can be treated as a normal bug". + +Fixed in commit 5fcf787582dd911df3a971718010bfca5a20e61d + |