diff options
Diffstat (limited to 'results/classifier/118/none/1810956')
| -rw-r--r-- | results/classifier/118/none/1810956 | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/results/classifier/118/none/1810956 b/results/classifier/118/none/1810956 new file mode 100644 index 000000000..659452e12 --- /dev/null +++ b/results/classifier/118/none/1810956 @@ -0,0 +1,47 @@ +device: 0.761 +TCG: 0.697 +boot: 0.693 +graphic: 0.667 +network: 0.537 +socket: 0.478 +files: 0.465 +risc-v: 0.449 +kernel: 0.446 +vnc: 0.441 +arm: 0.373 +semantic: 0.369 +register: 0.363 +architecture: 0.357 +PID: 0.344 +ppc: 0.321 +mistranslation: 0.293 +peripherals: 0.290 +permissions: 0.277 +performance: 0.241 +i386: 0.234 +hypervisor: 0.219 +x86: 0.216 +virtual: 0.160 +VMM: 0.159 +debug: 0.149 +user-level: 0.124 +KVM: 0.076 +assembly: 0.070 + +qemu-2.12.1 crashes when running malicious bootloader. + +Running specific bootloader on Qemu causes fatal error and +hence SIGABRT in /qemu-2.12.1/tcg/tcg.c on line 2684. + +Bootloader binary code is included in attachments. +The code was generated by assembling a valid bootloader, then +appending random-bytes from file `/dev/urandom` to the binary file. + + + +This is a bug, obviously, but note that we do not guarantee TCG binary translation to be a security boundary against malicious code. Don't run guest code you don't trust inside TCG without further sandboxing around QEMU. (Much of the code that runs in a TCG configuration is old and unaudited, so there may be lurking bugs. Configurations using KVM are the only ones where we treat guest escapes as security bugs.) + + +I think this bug was fixed in QEMU 3.1 -- I can reproduce the assert on 3.0 but not on 3.1. + + |