summary refs log tree commit diff stats
path: root/results/classifier/accel-gemma3:12b/kvm/1813
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/accel-gemma3:12b/kvm/1813')
-rw-r--r--results/classifier/accel-gemma3:12b/kvm/1813113
1 files changed, 113 insertions, 0 deletions
diff --git a/results/classifier/accel-gemma3:12b/kvm/1813 b/results/classifier/accel-gemma3:12b/kvm/1813
new file mode 100644
index 000000000..4e321ba01
--- /dev/null
+++ b/results/classifier/accel-gemma3:12b/kvm/1813
@@ -0,0 +1,113 @@
+
+FPE division by zero in scsi_disk_reset() [CVE-2023-42467]
+Description of problem:
+Got an FPE division by zero error when fuzzing the device am53c974.
+Steps to reproduce:
+Minimized reproducer for the error:
+
+```plaintext
+cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -device \
+am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
+id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest /dev/null\
+ -qtest stdio
+outl 0xcf8 0x80001010
+outl 0xcfc 0xc000
+outl 0xcf8 0x80001004
+outw 0xcfc 0x05
+outl 0xc047 0x065a9d01
+write 0x65a9d 0x1 0x15
+write 0x65a9e 0x1 0x10
+write 0x65aa0 0x1 0x08
+write 0x65aa1 0x1 0x0c
+write 0x65aa7 0x1 0x01
+outl 0xc03d 0x03000000
+outl 0xc00a 0xc10000
+outl 0xc03d 0x03000000
+outl 0xc00a 0xc10000
+outl 0xc00b 0x9000
+outl 0xc00b 0x0300
+EOF
+```
+Additional information:
+The crash report triggered by the reproducer is:
+
+```plaintext
+[I 0.000000] OPENED
+[R +0.024387] outl 0xcf8 0x80001010
+[S +0.024420] OK
+OK
+[R +0.024470] outl 0xcfc 0xc000
+[S +0.024490] OK
+OK
+[R +0.024513] outl 0xcf8 0x80001004
+[S +0.024521] OK
+OK
+[R +0.024527] outw 0xcfc 0x05
+[S +0.022723] OK
+OK
+[R +0.022734] outl 0xc047 0x065a9d01
+[S +0.022742] OK
+OK
+[R +0.022747] write 0x65a9d 0x1 0x15
+[S +0.022932] OK
+OK
+[R +0.022941] write 0x65a9e 0x1 0x10
+[S +0.022947] OK
+OK
+[R +0.022952] write 0x65aa0 0x1 0x08
+[S +0.022958] OK
+OK
+[R +0.022965] write 0x65aa1 0x1 0x0c
+[S +0.022973] OK
+OK
+[R +0.022983] write 0x65aa7 0x1 0x01
+[S +0.022991] OK
+OK
+[R +0.023004] outl 0xc03d 0x03000000
+[S +0.023014] OK
+OK
+[R +0.023021] outl 0xc00a 0xc10000
+[S +0.023048] OK
+OK
+[R +0.023056] outl 0xc03d 0x03000000
+[S +0.023065] OK
+OK
+[R +0.023072] outl 0xc00a 0xc10000
+[S +0.023128] OK
+OK
+[R +0.023141] outl 0xc00b 0x9000
+[S +0.023159] OK
+OK
+[R +0.023166] outl 0xc00b 0x0300
+../hw/scsi/scsi-disk.c:2351:16: runtime error: division by zero
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/scsi-disk.c:2351:16 in
+AddressSanitizer:DEADLYSIGNAL
+=================================================================
+==1208622==ERROR: AddressSanitizer: FPE on unknown address 0x558e9c0a9386 (pc 0x558e9c0a9386 bp 0x7ffcc04aaf50 sp 0x7ffcc04aaec0 T0)
+    #0 0x558e9c0a9386 in scsi_disk_reset ../hw/scsi/scsi-disk.c:2351:16
+    #1 0x558e9cf23f23 in resettable_phase_hold ../hw/core/resettable.c
+    #2 0x558e9cf0a861 in bus_reset_child_foreach ../hw/core/bus.c:97:13
+    #3 0x558e9cf23c05 in resettable_phase_hold ../hw/core/resettable.c:173:5
+    #4 0x558e9cf21b69 in resettable_assert_reset ../hw/core/resettable.c:60:5
+    #5 0x558e9cf217aa in resettable_reset ../hw/core/resettable.c:45:5
+    #6 0x558e9c0facd7 in esp_reg_write ../hw/scsi/esp.c:1075:13
+    #7 0x558e9c10d74d in esp_pci_io_write ../hw/scsi/esp-pci.c:214:9
+    #8 0x558e9cd7df23 in memory_region_write_accessor ../softmmu/memory.c:493:5
+    #9 0x558e9cd7d6aa in access_with_adjusted_size ../softmmu/memory.c:569:18
+    #10 0x558e9cd7ca50 in memory_region_dispatch_write ../softmmu/memory.c
+    #11 0x558e9cdc6fbf in flatview_write_continue ../softmmu/physmem.c:2653:23
+    #12 0x558e9cdbe463 in flatview_write ../softmmu/physmem.c:2695:12
+    #13 0x558e9cdbe177 in address_space_write ../softmmu/physmem.c:2791:18
+    #14 0x558e9cd70208 in cpu_outl ../softmmu/ioport.c:85:5
+    #15 0x558e9c4f0e76 in qtest_process_command ../softmmu/qtest.c:485:13
+    #16 0x558e9c4ef95b in qtest_process_inbuf ../softmmu/qtest.c:788:9
+    #17 0x558e9d3201a6 in fd_chr_read ../chardev/char-fd.c:72:9
+    #18 0x7f974a7c904d in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5204d) (BuildId: 5fdb313daf182a33a858ba2cc945211b11d34561)
+    #19 0x558e9d58d40f in glib_pollfds_poll ../util/main-loop.c:290:9
+    #20 0x558e9d58d40f in os_host_main_loop_wait ../util/main-loop.c:313:5
+    #21 0x558e9d58d40f in main_loop_wait ../util/main-loop.c:592:11
+    #22 0x558e9c4fcf76 in qemu_main_loop ../softmmu/runstate.c:732:9
+    #23 0x558e9cf06835 in qemu_default_main ../softmmu/main.c:37:14
+    #24 0x7f97495f0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
+    #25 0x558e9b6e809d in _start (./qemu-system-x86_64+0x1e9109d)
+```