summary refs log tree commit diff stats
path: root/results/classifier/118/graphic/1435973
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/graphic/1435973')
-rw-r--r--results/classifier/118/graphic/143597394
1 files changed, 94 insertions, 0 deletions
diff --git a/results/classifier/118/graphic/1435973 b/results/classifier/118/graphic/1435973
new file mode 100644
index 000000000..5c9c99a00
--- /dev/null
+++ b/results/classifier/118/graphic/1435973
@@ -0,0 +1,94 @@
+graphic: 0.964
+i386: 0.956
+kernel: 0.949
+architecture: 0.944
+performance: 0.922
+peripherals: 0.922
+files: 0.921
+user-level: 0.909
+vnc: 0.894
+socket: 0.893
+device: 0.890
+ppc: 0.879
+PID: 0.863
+assembly: 0.857
+permissions: 0.854
+x86: 0.811
+network: 0.790
+mistranslation: 0.790
+debug: 0.784
+register: 0.773
+VMM: 0.764
+semantic: 0.752
+arm: 0.747
+boot: 0.742
+hypervisor: 0.717
+TCG: 0.707
+virtual: 0.698
+risc-v: 0.692
+KVM: 0.631
+
+Qemu crash when a guest linux issues specific scsi command via ioctl(SG_IO) with SCSI disk emulation.
+
+As of git revision 362ca922eea03240916287a8a6267801ab095d12, when guest linux issues specifit scsi command, qemu crashes.
+
+To reproduce.
+
+1. launch qemu with scsi emulatoin
+qemu-sysytem-i386.exe -kernel bzImage -drive file=rootfs.ext2,index=0,if=scsi -append root=/dev/sda -drive file=\\.\PhysicalDrive1,index=1,if=scsi
+2. issues scsi command via ioctl(SG_IO) on guest linux. like below.
+
+-------------------------
+struct request_sense sens;
+struct sg_io_hdr sg;
+unsigned char cdb[6];
+unsigned char buf[127];
+
+memset( &sens, 0, sizeof(sens) );
+memset(&sg, 0, sizeof(sg));
+memset(cdb, 0, sizeof(cdb));
+memset(buf, 0, sizeof(buf));
+
+// qemu crash!!!
+cdb[0] = 0xff;
+
+sg.dxferp = buf;
+sg.dxfer_len = sizeof(buf);
+sg.dxfer_direction = SG_DXFER_FROM_DEV;
+sg.flags = 0;
+sg.interface_id = 'S';
+sg.cmdp = cdb;
+sg.cmd_len = sizeof( cdb );
+sg.sbp = (unsigned char*)&sens;
+sg.mx_sb_len = sizeof( sens );
+
+ioctl( fd, SG_IO, &sg );
+-------------------------
+
+I think cause is below code.
+
+scsi-bus.c L1239
+int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
+{
+    int rc;
+
+    cmd->lba = -1;
+    cmd->len = scsi_cdb_length(buf);
+    ...
+    memcpy(cmd->buf, buf, cmd->len);
+}
+
+scsi_cdb_length(buf) returns -1 when buf[0] is unexpected value.
+Then memcpy(cmd->buf, buf, 4294967295); is executed and crash.
+
+Environment
+Qemu: git revision 362ca922eea03240916287a8a6267801ab095d12
+Guest: linux kernel 3.18.4 + buildroot
+Host: Windows 7 64bit
+
+Thanks,
+hiroaki
+
+Looks like this has been fixed here:
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c170aad8b057223b1139d7
+