summary refs log tree commit diff stats
path: root/results/classifier/118/risc-v/2778
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/risc-v/2778')
-rw-r--r--results/classifier/118/risc-v/2778129
1 files changed, 129 insertions, 0 deletions
diff --git a/results/classifier/118/risc-v/2778 b/results/classifier/118/risc-v/2778
new file mode 100644
index 000000000..3211c9a3d
--- /dev/null
+++ b/results/classifier/118/risc-v/2778
@@ -0,0 +1,129 @@
+risc-v: 0.830
+graphic: 0.765
+mistranslation: 0.758
+device: 0.738
+permissions: 0.738
+semantic: 0.729
+architecture: 0.715
+virtual: 0.698
+user-level: 0.680
+PID: 0.678
+ppc: 0.675
+register: 0.670
+debug: 0.670
+assembly: 0.665
+arm: 0.664
+hypervisor: 0.644
+kernel: 0.625
+peripherals: 0.612
+performance: 0.588
+boot: 0.582
+KVM: 0.581
+TCG: 0.577
+network: 0.564
+VMM: 0.554
+socket: 0.543
+x86: 0.542
+vnc: 0.535
+files: 0.528
+i386: 0.400
+
+Null Dereference in ahci-hd device
+Description of problem:
+Issue was found by fuzzing. With some qtest commands we can crash qemu-system-x86_64 because of Null dereference.
+Steps to reproduce:
+Command:
+
+```
+cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest -m 512M -machine q35 -nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 -device ide-hd,drive=disk0  -qtest stdio
+outl 0xcf8 0x8000fa24
+outl 0xcfc 0xe0000000
+outl 0xcf8 0x8000fa04
+outw 0xcfc 0x06
+write 0xe00003b8 0x1 0x01
+write 0x0 0x1 0x27
+write 0x1 0x1 0x80
+write 0x2 0x1 0x20
+write 0x7 0x1 0x01
+write 0xe0000398 0x1 0x01
+write 0xe0000398 0x1 0x00
+write 0xe0000398 0x1 0x01
+EOF
+```
+
+Results in 
+
+```
+[I 0.000001] OPENED
+[R +0.082978] outl 0xcf8 0x8000fa24
+[S +0.083040] OK
+OK
+[R +0.083070] outl 0xcfc 0xe0000000
+[S +0.083115] OK
+OK
+[R +0.083132] outl 0xcf8 0x8000fa04
+[S +0.083152] OK
+OK
+[R +0.083180] outw 0xcfc 0x06
+[S +0.084233] OK
+OK
+[R +0.084291] write 0xe00003b8 0x1 0x01
+[S +0.084344] OK
+OK
+[R +0.084384] write 0x0 0x1 0x27
+[S +0.085007] OK
+OK
+[R +0.085041] write 0x1 0x1 0x80
+[S +0.085055] OK
+OK
+[R +0.085071] write 0x2 0x1 0x20
+[S +0.085084] OK
+OK
+[R +0.085096] write 0x7 0x1 0x01
+[S +0.085110] OK
+OK
+[R +0.085123] write 0xe0000398 0x1 0x01
+[S +0.085254] OK
+OK
+[R +0.085294] write 0xe0000398 0x1 0x00
+[S +0.085324] OK
+OK
+[R +0.085349] write 0xe0000398 0x1 0x01
+[S +0.085408] OK
+OK
+../hw/ide/ahci.c:1377:46: runtime error: member access within null pointer of type 'AHCICmdHdr' (aka 'struct AHCICmdHdr')
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/ide/ahci.c:1377:46 in 
+../hw/ide/ahci.c:1377:46: runtime error: load of null pointer of type 'uint16_t' (aka 'unsigned short')
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/ide/ahci.c:1377:46 in 
+AddressSanitizer:DEADLYSIGNAL
+=================================================================
+==2547739==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55abf3a79f9c bp 0x7ffc213000d0 sp 0x7ffc212fffa0 T0)
+==2547739==The signal is caused by a READ memory access.
+==2547739==Hint: address points to the zero page.
+    #0 0x55abf3a79f9c in ahci_pio_transfer /home/artemiin/Work/original_qemu/build/../hw/ide/ahci.c:1377:46
+    #1 0x55abf3a8a396 in ide_transfer_start_norecurse /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:581:5
+    #2 0x55abf3aab79e in ide_transfer_start /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:588:9
+    #3 0x55abf3aab79e in ide_sector_read_cb /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:789:5
+    #4 0x55abf3a8d6e2 in ide_buffered_readv_cb /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:684:9
+    #5 0x55abf4f31d33 in blk_aio_complete /home/artemiin/Work/original_qemu/build/../block/block-backend.c:1552:9
+    #6 0x55abf545010b in aio_bh_call /home/artemiin/Work/original_qemu/build/../util/async.c:172:5
+    #7 0x55abf545089f in aio_bh_poll /home/artemiin/Work/original_qemu/build/../util/async.c:219:13
+    #8 0x55abf53e746a in aio_dispatch /home/artemiin/Work/original_qemu/build/../util/aio-posix.c:424:5
+    #9 0x55abf545469a in aio_ctx_dispatch /home/artemiin/Work/original_qemu/build/../util/async.c:361:5
+    #10 0x7f358845b7a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) (BuildId: 9f90bd7bbfcf84a1f1c5a6102f70e6264837b9d4)
+    #11 0x55abf5455787 in glib_pollfds_poll /home/artemiin/Work/original_qemu/build/../util/main-loop.c:287:9
+    #12 0x55abf5455787 in os_host_main_loop_wait /home/artemiin/Work/original_qemu/build/../util/main-loop.c:310:5
+    #13 0x55abf5455787 in main_loop_wait /home/artemiin/Work/original_qemu/build/../util/main-loop.c:589:11
+    #14 0x55abf425c296 in qemu_main_loop /home/artemiin/Work/original_qemu/build/../system/runstate.c:835:9
+    #15 0x55abf51df1c6 in qemu_default_main /home/artemiin/Work/original_qemu/build/../system/main.c:48:14
+    #16 0x55abf51df1a1 in main /home/artemiin/Work/original_qemu/build/../system/main.c:76:9
+    #17 0x7f3587219249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
+    #18 0x7f3587219304 in __libc_start_main csu/../csu/libc-start.c:360:3
+    #19 0x55abf353be60 in _start (/home/artemiin/Work/original_qemu/build/qemu-system-x86_64+0x1828e60) (BuildId: f91712a3af40a999ce35e39809ce00f92c35ae25)
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV /home/artemiin/Work/original_qemu/build/../hw/ide/ahci.c:1377:46 in ahci_pio_transfer
+==2547739==ABORTING
+```
+Additional information:
+This issue may need a complicated patch so I ask developers to take a look at this issue.