summary refs log tree commit diff stats
path: root/results/classifier/accel-gemma3:12b/kvm/1904652
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/accel-gemma3:12b/kvm/1904652')
-rw-r--r--results/classifier/accel-gemma3:12b/kvm/190465251
1 files changed, 51 insertions, 0 deletions
diff --git a/results/classifier/accel-gemma3:12b/kvm/1904652 b/results/classifier/accel-gemma3:12b/kvm/1904652
new file mode 100644
index 000000000..1961c42a8
--- /dev/null
+++ b/results/classifier/accel-gemma3:12b/kvm/1904652
@@ -0,0 +1,51 @@
+
+Assertion failure in usb-ohci
+
+Hello,
+
+Using hypervisor fuzzer, hyfuzz, I found an assertion failure through usb-ohci.
+
+A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service.
+
+This was found in version 5.2.0 (master)
+
+--------
+
+```
+
+Program terminated with signal SIGABRT, Aborted.
+
+#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
+51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
+[Current thread is 1 (Thread 0x7f34d0411440 (LWP 9418))]
+gdb-peda$ bt
+#0  0x00007f34c8d4ef47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
+#1  0x00007f34c8d508b1 in __GI_abort () at abort.c:79
+#2  0x000055d3a2081844 in ohci_frame_boundary (opaque=0x55d3a4ecdaf0) at ../hw/usb/hcd-ohci.c:1297
+#3  0x000055d3a25be155 in timerlist_run_timers (timer_list=0x55d3a3fd9840) at ../util/qemu-timer.c:574
+#4  0x000055d3a25beaba in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at ../util/qemu-timer.c:588
+#5  0x000055d3a25beaba in qemu_clock_run_all_timers () at ../util/qemu-timer.c:670
+#6  0x000055d3a25e69a1 in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:531
+#7  0x000055d3a2433972 in qemu_main_loop () at ../softmmu/vl.c:1678
+#8  0x000055d3a1d0969b in main (argc=<optimized out>, argc@entry=0x15, argv=<optimized out>,
+    argv@entry=0x7ffc6de722a8, envp=<optimized out>) at ../softmmu/main.c:50
+#9  0x00007f34c8d31b97 in __libc_start_main (main=
+    0x55d3a1d09690 <main>, argc=0x15, argv=0x7ffc6de722a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc6de72298) at ../csu/libc-start.c:310
+#10 0x000055d3a1d095aa in _start ()
+```
+
+To reproduce the assertion failure, please run the QEMU with the following command line.
+
+```
+[Terminal 1]
+
+$ qemu-system-i386 -m 512 -drive file=./fs.img,index=1,media=disk,format=raw -drive file=./hyfuzz.img,index=0,media=disk,format=raw -drive if=none,id=stick,file=./usbdisk.img,format=raw -device pci-ohci,id=usb -device usb-storage,bus=usb.0,drive=stick
+
+[Terminal 2]
+
+$ ./repro_log ./fs.img ./pci-ohci
+
+```
+
+Please let me know if I can provide any further info.
+-Cheolwoo, Myung (Seoul National University)
\ No newline at end of file