summary refs log tree commit diff stats
path: root/results/classifier/deepseek-2/output/manual-review/2296
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/deepseek-2/output/manual-review/2296')
-rw-r--r--results/classifier/deepseek-2/output/manual-review/229698
1 files changed, 98 insertions, 0 deletions
diff --git a/results/classifier/deepseek-2/output/manual-review/2296 b/results/classifier/deepseek-2/output/manual-review/2296
new file mode 100644
index 000000000..94c8e839a
--- /dev/null
+++ b/results/classifier/deepseek-2/output/manual-review/2296
@@ -0,0 +1,98 @@
+
+heap-buffer-overflow in virtio-sound
+Description of problem:
+The following log reveals it:
+
+```
+==3191578==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000068620 at pc 0x55dadcde4ec5 bp 0x7ffe7f18aef0 sp 0x7ffe7f18aee0
+READ of size 8 at 0x602000068620 thread T0
+    #0 0x55dadcde4ec4 in virtio_snd_handle_rx_xfer ../hw/audio/virtio-snd.c:988
+    #1 0x55daddffbf5e in virtio_queue_notify ../hw/virtio/virtio.c:2296
+    #2 0x55dadd6cff4a in virtio_pci_notify_write ../hw/virtio/virtio-pci.c:1721
+    #3 0x55dade0ab336 in memory_region_write_accessor ../system/memory.c:497
+    #4 0x55dade0af3d0 in access_with_adjusted_size ../system/memory.c:573
+    #5 0x55dade0b5032 in memory_region_dispatch_write ../system/memory.c:1528
+    #6 0x55dade0ebb62 in flatview_write_continue_step ../system/physmem.c:2713
+    #7 0x55dade0ebfb2 in flatview_write_continue ../system/physmem.c:2743
+    #8 0x55dade0ebfb2 in flatview_write ../system/physmem.c:2774
+    #9 0x55dade0edd58 in address_space_write ../system/physmem.c:2894
+    #10 0x55dadd809972 in qtest_process_command ../system/qtest.c:679
+    #11 0x55dadd80c3e2 in qtest_process_inbuf ../system/qtest.c:811
+    #12 0x55dade6e79a4 in fd_chr_read ../chardev/char-fd.c:72
+    #13 0x7f79b0d29c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+    #14 0x55dade998bcf in glib_pollfds_poll ../util/main-loop.c:287
+    #15 0x55dade998bcf in os_host_main_loop_wait ../util/main-loop.c:310
+    #16 0x55dade998bcf in main_loop_wait ../util/main-loop.c:589
+    #17 0x55dadd810e00 in qemu_main_loop ../system/runstate.c:783
+    #18 0x55dade2b703a in qemu_default_main ../system/main.c:37
+    #19 0x7f79afe29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+    #20 0x7f79afe29e3f in __libc_start_main_impl ../csu/libc-start.c:392
+    #21 0x55dadcb5a284 in _start (/home/joey/repo/qemu/build/qemu-system-x86_64+0x2ef6284)
+
+0x602000068620 is located 0 bytes to the right of 16-byte region [0x602000068610,0x602000068620)
+allocated by thread T0 here:
+    #0 0x7f79b18b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
+    #1 0x7f79b0d32c50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50)
+    #2 0x55dadebf5847  (/home/joey/repo/qemu/build/qemu-system-x86_64+0x4f91847)
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow ../hw/audio/virtio-snd.c:988 in virtio_snd_handle_rx_xfer
+Shadow bytes around the buggy address:
+  0x0c0480005070: fa fa 05 fa fa fa 07 fa fa fa 00 01 fa fa 07 fa
+  0x0c0480005080: fa fa 05 fa fa fa 07 fa fa fa 00 03 fa fa fd fd
+  0x0c0480005090: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 06
+  0x0c04800050a0: fa fa 00 00 fa fa 00 00 fa fa 00 01 fa fa 05 fa
+  0x0c04800050b0: fa fa 00 03 fa fa 00 03 fa fa 00 01 fa fa 00 05
+=>0x0c04800050c0: fa fa 00 00[fa]fa 00 00 fa fa 00 04 fa fa 00 00
+  0x0c04800050d0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
+  0x0c04800050e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
+  0x0c04800050f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
+  0x0c0480005100: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
+  0x0c0480005110: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+```
+Steps to reproduce:
+```
+cat << EOF | qemu-system-x86_64 -display none \
+-machine accel=qtest -m 512M -machine q35 -device \
+virtio-sound,audiodev=my_audiodev,streams=2 -audiodev \
+alsa,id=my_audiodev -qtest stdio
+outl 0xcf8 0x80001804
+outw 0xcfc 0x06
+outl 0xcf8 0x80001820
+outl 0xcfc 0xe0008000
+write 0xe0008016 0x1 0x03
+write 0xe0008020 0x4 0x00901000
+write 0xe0008028 0x4 0x00a01000
+write 0xe000801c 0x1 0x01
+write 0xe000a004 0x1 0x40
+write 0x10c000 0x1 0x02
+write 0x109001 0x1 0xc0
+write 0x109002 0x1 0x10
+write 0x109008 0x1 0x04
+write 0x10a002 0x1 0x01
+write 0xe000b00d 0x1 0x00
+EOF
+```
+
+# Possible Fix
+
+check the user-assigned value in virtio_snd_set_config()