summary refs log tree commit diff stats
path: root/results/classifier/118/all/1926111
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/all/1926111')
-rw-r--r--results/classifier/118/all/1926111229
1 files changed, 229 insertions, 0 deletions
diff --git a/results/classifier/118/all/1926111 b/results/classifier/118/all/1926111
new file mode 100644
index 000000000..2edc7e1bd
--- /dev/null
+++ b/results/classifier/118/all/1926111
@@ -0,0 +1,229 @@
+performance: 0.984
+debug: 0.984
+permissions: 0.983
+register: 0.982
+semantic: 0.982
+device: 0.982
+assembly: 0.981
+PID: 0.981
+peripherals: 0.980
+architecture: 0.980
+vnc: 0.980
+graphic: 0.978
+virtual: 0.978
+arm: 0.977
+socket: 0.973
+kernel: 0.972
+network: 0.969
+user-level: 0.966
+i386: 0.966
+hypervisor: 0.965
+mistranslation: 0.964
+files: 0.964
+boot: 0.964
+x86: 0.963
+ppc: 0.952
+risc-v: 0.951
+VMM: 0.944
+TCG: 0.942
+KVM: 0.925
+
+Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
+
+=== Stacktrace ===
+
+qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
+==602353== ERROR: libFuzzer: deadly signal
+#5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
+#6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
+#7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
+#8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
+#9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write  hw/net/vmxnet3.c:1096:9
+#10 0x563e6eefdb00 in memory_region_write_accessor  softmmu/memory.c:491:5
+#11 0x563e6eefcfdd in access_with_adjusted_size  softmmu/memory.c:552:18
+#12 0x563e6eefac90 in memory_region_dispatch_write  softmmu/memory.c:1502:16
+#13 0x563e6e834e16 in flatview_write_continue  softmmu/physmem.c:2746:23
+#14 0x563e6e81cd38 in flatview_write  softmmu/physmem.c:2786:14
+#15 0x563e6e81c868 in address_space_write  softmmu/physmem.c:2878:18
+
+=== Reproducer ===
+cat << EOF | ./qemu-system-i386  -display none -machine accel=qtest, -m \
+512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
+user,id=net0 -qtest stdio
+outl 0xcf8 0x80000810
+outl 0xcfc 0xe0000000
+outl 0xcf8 0x80000814
+outl 0xcf8 0x80000804
+outw 0xcfc 0x7
+outl 0xcf8 0x80000815
+outl 0xcfc 0xffff00b5
+write 0x0 0x1 0xe1
+write 0x1 0x1 0xfe
+write 0x2 0x1 0xbe
+write 0x3 0x1 0xba
+write 0xff00b020 0x4 0x0000feca
+write 0xe0000630 0x1 0x00
+EOF
+
+
+=== Testcase ===
+
+/*
+ * Autogenerated Fuzzer Test Case
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "libqos/libqtest.h"
+
+static void test_fuzz(void) {
+    QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
+                               "-device vmxnet3,netdev=net0 -netdev user,id=net0");
+    qtest_outl(s, 0xcf8, 0x80000810);
+    qtest_outl(s, 0xcfc, 0xe0000000);
+    qtest_outl(s, 0xcf8, 0x80000814);
+    qtest_outl(s, 0xcf8, 0x80000804);
+    qtest_outw(s, 0xcfc, 0x7);
+    qtest_outl(s, 0xcf8, 0x80000815);
+    qtest_outl(s, 0xcfc, 0xffff00b5);
+    qtest_bufwrite(s, 0x0, "\xe1", 0x1);
+    qtest_bufwrite(s, 0x1, "\xfe", 0x1);
+    qtest_bufwrite(s, 0x2, "\xbe", 0x1);
+    qtest_bufwrite(s, 0x3, "\xba", 0x1);
+    qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
+    qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
+    qtest_quit(s);
+}
+int main(int argc, char **argv) {
+    const char *arch = qtest_get_arch();
+
+    g_test_init(&argc, &argv, NULL);
+
+    if (strcmp(arch, "i386") == 0) {
+        qtest_add_func("fuzz/test_fuzz", test_fuzz);
+    }
+
+    return g_test_run();
+}
+
+
+=== OSS-Fuzz Report ===
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
+https://oss-fuzz.com/testcase?key=6071483232288768
+
+Cc'ing maintainers.
+
+./scripts/get_maintainer.pl -f hw/net/vmxnet3.c
+Dmitry Fleytman <email address hidden> (maintainer:Vmware)
+Jason Wang <email address hidden> (odd fixer:Network devices)
+
+On 4/26/21 5:19 AM, Alexander Bulekov wrote:
+> Public bug reported:
+> 
+> === Stacktrace ===
+> 
+> qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
+> ==602353== ERROR: libFuzzer: deadly signal
+> #5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
+> #6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
+> #7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
+> #8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
+> #9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write  hw/net/vmxnet3.c:1096:9
+> #10 0x563e6eefdb00 in memory_region_write_accessor  softmmu/memory.c:491:5
+> #11 0x563e6eefcfdd in access_with_adjusted_size  softmmu/memory.c:552:18
+> #12 0x563e6eefac90 in memory_region_dispatch_write  softmmu/memory.c:1502:16
+> #13 0x563e6e834e16 in flatview_write_continue  softmmu/physmem.c:2746:23
+> #14 0x563e6e81cd38 in flatview_write  softmmu/physmem.c:2786:14
+> #15 0x563e6e81c868 in address_space_write  softmmu/physmem.c:2878:18
+> 
+> === Reproducer ===
+> cat << EOF | ./qemu-system-i386  -display none -machine accel=qtest, -m \
+> 512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
+> user,id=net0 -qtest stdio
+> outl 0xcf8 0x80000810
+> outl 0xcfc 0xe0000000
+> outl 0xcf8 0x80000814
+> outl 0xcf8 0x80000804
+> outw 0xcfc 0x7
+> outl 0xcf8 0x80000815
+> outl 0xcfc 0xffff00b5
+> write 0x0 0x1 0xe1
+> write 0x1 0x1 0xfe
+> write 0x2 0x1 0xbe
+> write 0x3 0x1 0xba
+> write 0xff00b020 0x4 0x0000feca
+> write 0xe0000630 0x1 0x00
+> EOF
+> 
+> 
+> === Testcase ===
+> 
+> /*
+>  * Autogenerated Fuzzer Test Case
+>  *
+>  * This work is licensed under the terms of the GNU GPL, version 2 or later.
+>  * See the COPYING file in the top-level directory.
+>  */
+> 
+> #include "qemu/osdep.h"
+> 
+> #include "libqos/libqtest.h"
+> 
+> static void test_fuzz(void) {
+>     QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
+>                                "-device vmxnet3,netdev=net0 -netdev user,id=net0");
+>     qtest_outl(s, 0xcf8, 0x80000810);
+>     qtest_outl(s, 0xcfc, 0xe0000000);
+>     qtest_outl(s, 0xcf8, 0x80000814);
+>     qtest_outl(s, 0xcf8, 0x80000804);
+>     qtest_outw(s, 0xcfc, 0x7);
+>     qtest_outl(s, 0xcf8, 0x80000815);
+>     qtest_outl(s, 0xcfc, 0xffff00b5);
+>     qtest_bufwrite(s, 0x0, "\xe1", 0x1);
+>     qtest_bufwrite(s, 0x1, "\xfe", 0x1);
+>     qtest_bufwrite(s, 0x2, "\xbe", 0x1);
+>     qtest_bufwrite(s, 0x3, "\xba", 0x1);
+>     qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
+>     qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
+>     qtest_quit(s);
+> }
+> int main(int argc, char **argv) {
+>     const char *arch = qtest_get_arch();
+> 
+>     g_test_init(&argc, &argv, NULL);
+> 
+>     if (strcmp(arch, "i386") == 0) {
+>         qtest_add_func("fuzz/test_fuzz", test_fuzz);
+>     }
+> 
+>     return g_test_run();
+> }
+> 
+> 
+> === OSS-Fuzz Report ===
+> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
+> https://oss-fuzz.com/testcase?key=6071483232288768
+> 
+> ** Affects: qemu
+>      Importance: Undecided
+>          Status: New
+> 
+> 
+> ** Tags: fuzzer
+> 
+> ** Tags removed: fuzz
+> ** Tags added: fuzzer
+> 
+
+
+
+I can reproduce this issue with the latest version of QEMU. Marking as "Confirmed"
+
+Suggested fix: https://<email address hidden>/
+
+Fix has been included here:
+https://gitlab.com/qemu-project/qemu/-/commit/6a932c4ed8748b08c58c
+