summary refs log tree commit diff stats
path: root/results/classifier/gemma3:12b/device/1902112
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/gemma3:12b/device/1902112')
-rw-r--r--results/classifier/gemma3:12b/device/190211244
1 files changed, 44 insertions, 0 deletions
diff --git a/results/classifier/gemma3:12b/device/1902112 b/results/classifier/gemma3:12b/device/1902112
new file mode 100644
index 000000000..5e9912acc
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/1902112
@@ -0,0 +1,44 @@
+
+[OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Index-out-of-bounds in xhci_runtime_write 
+
+OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26693
+
+=== Reproducer (build with --enable-sanitizers) ===
+export UBSAN_OPTIONS="print_stacktrace=1:silence_unsigned_overflow=1"
+cat << EOF | ./qemu-system-i386 -display none -machine\
+ accel=qtest, -m 512M -machine q35 -nodefaults -drive\
+ file=null-co://,if=none,format=raw,id=disk0 -device\
+ qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0\
+ -device usb-bot -device usb-storage,drive=disk0\
+ -chardev null,id=cd0 -chardev null,id=cd1 -device\
+ usb-braille,chardev=cd0 -device usb-ccid -device\
+ usb-ccid -device usb-kbd -device usb-mouse -device\
+ usb-serial,chardev=cd1 -device usb-tablet -device\
+ usb-wacom-tablet -device usb-audio -qtest stdio
+outl 0xcf8 0x80000803
+outl 0xcfc 0x18caffff
+outl 0xcf8 0x80000810
+outl 0xcfc 0x555a2e46
+write 0x555a1004 0x4 0xe7b9aa7a
+EOF
+
+=== Stack Trace ===
+ 	
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/usb/hcd-xhci.c:3012:30 in
+../hw/usb/hcd-xhci.c:3012:30: runtime error: index -1 out of bounds for type 'XHCIInterrupter [16]'
+#0 0x55bd2e97c8b0 in xhci_runtime_write /src/qemu/hw/usb/hcd-xhci.c:3012:30
+#1 0x55bd2edfdd13 in memory_region_write_accessor /src/qemu/softmmu/memory.c:484:5
+#2 0x55bd2edfdb14 in access_with_adjusted_size /src/qemu/softmmu/memory.c:545:18
+#3 0x55bd2edfd54b in memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
+#4 0x55bd2ed7fa46 in flatview_write_continue /src/qemu/softmmu/physmem.c:2767:23
+#5 0x55bd2ed7cac0 in flatview_write /src/qemu/softmmu/physmem.c:2807:14
+#6 0x55bd2ed7c9f8 in address_space_write /src/qemu/softmmu/physmem.c:2899:18
+#7 0x55bd2e85cf9b in __wrap_qtest_writeq /src/qemu/tests/qtest/fuzz/qtest_wrappers.c:187:9
+#8 0x55bd2e85b7b1 in op_write /src/qemu/tests/qtest/fuzz/generic_fuzz.c:476:13
+#9 0x55bd2e85a84c in generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:678:17
+#10 0x55bd2e85dd6f in LLVMFuzzerTestOneInput /src/qemu/tests/qtest/fuzz/fuzz.c:150:5
+#11 0x55bd2e7e9661 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
+#12 0x55bd2e7d4732 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
+#13 0x55bd2e7da7ee in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:9
+#14 0x55bd2e8027d2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
+#15 0x7f3d153b783f in __libc_start_main
\ No newline at end of file