summary refs log tree commit diff stats
path: root/results/classifier/118/risc-v/1910826
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/risc-v/1910826')
-rw-r--r--results/classifier/118/risc-v/1910826141
1 files changed, 141 insertions, 0 deletions
diff --git a/results/classifier/118/risc-v/1910826 b/results/classifier/118/risc-v/1910826
new file mode 100644
index 000000000..a715d76d8
--- /dev/null
+++ b/results/classifier/118/risc-v/1910826
@@ -0,0 +1,141 @@
+risc-v: 0.832
+device: 0.821
+hypervisor: 0.797
+user-level: 0.797
+virtual: 0.797
+TCG: 0.793
+peripherals: 0.787
+graphic: 0.780
+register: 0.777
+KVM: 0.763
+performance: 0.761
+ppc: 0.752
+mistranslation: 0.743
+permissions: 0.736
+x86: 0.718
+VMM: 0.709
+vnc: 0.708
+i386: 0.704
+architecture: 0.696
+semantic: 0.692
+arm: 0.668
+debug: 0.665
+boot: 0.654
+assembly: 0.632
+files: 0.632
+network: 0.630
+PID: 0.572
+kernel: 0.559
+socket: 0.519
+
+[OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
+
+=== Reproducer ===
+cat << EOF | ../build/qemu-system-i386 -machine q35 \
+-nodefaults  -device rtl8139,netdev=net0 \
+-netdev user,id=net0 -display none -qtest stdio
+outl 0xcf8 0x80000804
+outb 0xcfc 0x26
+outl 0xcf8 0x80000817
+outb 0xcfc 0xff
+write 0x1 0x1 0x42
+write 0x5 0x1 0x42
+write 0x9 0x1 0x42
+write 0xd 0x1 0x42
+write 0xff000044 0x4 0x11
+write 0xff000037 0x1 0x1c
+writel 0xff000030 0xff000000
+write 0xff000040 0x4 0x100006
+write 0xff000010 0x4 0x01020
+EOF
+
+=== Stack Trace ===
+==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0)
+#0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815
+#1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
+#2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
+#3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
+#4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
+#5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
+#6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
+#7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
+#8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
+#9 flatview_write /src/qemu/softmmu/physmem.c:2799:14
+#10 address_space_write /src/qemu/softmmu/physmem.c:2891:18
+#11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
+#12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
+#13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
+#14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
+#15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
+#16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
+#17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
+#18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
+#19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5
+#20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
+#21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
+#22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
+#23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
+#24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
+#25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
+#26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
+#27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
+#28 flatview_write /src/qemu/softmmu/physmem.c:2799:14
+#29 address_space_write /src/qemu/softmmu/physmem.c:2891:18
+#30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
+#31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
+#32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
+#33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
+#34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
+#35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
+#36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
+#37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
+Repeat until we run out of stack
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224
+
+A more concise version and corresponding notes. Might help :)
+
+-- [ Reproducer
+
+cat << EOF | ../build/qemu-system-i386 -machine q35 \
+-nodefaults  -device rtl8139,netdev=net0 \
+-netdev user,id=net0 -display none -qtest stdio
+outl 0xcf8 0x80000804
+outb 0xcfc 0x06
+outl 0xcf8 0x80000817
+outb 0xcfc 0xff
+write 0xff000037 0x1 0x0c
+writel 0xff000030 0xff000010
+write 0xff000040 0x4 0x100006
+write 0xff000044 0x4 0x01
+write 0xff000010 0x4 0x01
+EOF
+
+-- [ Notes
+
+/* Make the MMIO region start from 0xff000000 */
+outl 0xcf8 0x80000817
+outb 0xcfc 0xff
+
+/*Command Register: enable receiver and transmitter*/
+write 0xff000037 0x1 0x0c
+
+/* set Receive (Rx) Buffer Start Address at 0xff000010 */
+/* Note: 0xff000010 - 0xff000000 = 0x10 is the offset of TSD0*/
+writel 0xff000030 0xff000010
+
+/* TXRR, Tx Retry Count = 1 */
+/* set transmit mode into the loopback */
+write 0xff000040 0x4 0x100006
+
+/* Receive Configuration Register: Accept All Packets */
+write 0xff000044 0x4 0x01
+
+/* TSD0: set Descriptor Size to 1 and trigger a tranfer*/
+write 0xff000010 0x4 0x01
+
+
+OSS-Fuzz says this issue has been fixed.
+
+https://gitlab.com/qemu-project/qemu/-/commit/5311fb805a4403bba
+