summary refs log tree commit diff stats
path: root/results/classifier/zero-shot/105/other/2742
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/zero-shot/105/other/2742')
-rw-r--r--results/classifier/zero-shot/105/other/274279
1 files changed, 79 insertions, 0 deletions
diff --git a/results/classifier/zero-shot/105/other/2742 b/results/classifier/zero-shot/105/other/2742
new file mode 100644
index 000000000..94568b0f2
--- /dev/null
+++ b/results/classifier/zero-shot/105/other/2742
@@ -0,0 +1,79 @@
+other: 0.946
+instruction: 0.937
+device: 0.936
+graphic: 0.936
+semantic: 0.916
+vnc: 0.913
+assembly: 0.911
+boot: 0.903
+KVM: 0.899
+network: 0.897
+mistranslation: 0.892
+socket: 0.889
+
+heap-buffer-overflow in smc91c111_do_tx()
+Description of problem:
+A buffer-overflow bug was triggered by my fuzzer at smc91c111_do_tx().
+
+I've patched hw/net/smc91c111.c with:
+
+```
+diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
+index 702d0e8e83..286298bf06 100644
+--- a/hw/net/smc91c111.c
++++ b/hw/net/smc91c111.c
+@@ -429,7 +429,7 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,
+              /* Ignore.  */
+              return;
+          case 2: /* Packet Number Register */
+-            s->packet_num = value;
++            s->packet_num = value & (NUM_PACKETS - 1);
+              return;
+          case 3: case 4: case 5:
+              /* Should be readonly, but linux writes to them anyway. Ignore.  */
+```
+
+The error is:
+
+```
+==2724739==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000022941 at pc 0x595ebbed687b bp 0x7fffa0098a50 sp 0x7fffa0098a48
+READ of size 1 at 0x629000022941 thread T0
+    #0 0x595ebbed687a in smc91c111_do_tx hw/net/smc91c111.c:240:19
+    #1 0x595ebbed687a in smc91c111_queue_tx hw/net/smc91c111.c:284:5
+    #2 0x595ebbed687a in smc91c111_writeb hw/net/smc91c111.c:419:17
+    #3 0x595ebbed687a in smc91c111_writefn hw/net/smc91c111.c:666:9
+    #4 0x595ebd174d33 in memory_region_write_accessor system/memory.c:497:5
+    #5 0x595ebd1744aa in access_with_adjusted_size system/memory.c:573:18
+    #6 0x595ebd1738d8 in memory_region_dispatch_write system/memory.c
+    #7 0x595ebd1cc984 in flatview_write_continue_step system/physmem.c:2786:18
+    #8 0x595ebd1b9880 in flatview_write_continue system/physmem.c:2816:19
+    #9 0x595ebd1b9880 in flatview_write system/physmem.c:2847:12
+    #10 0x595ebd1b9517 in address_space_write system/physmem.c:2967:18
+    #11 0x595ebc77d5c3 in qtest_process_command system/qtest.c:522:13
+    #12 0x595ebc77b83b in qtest_process_inbuf system/qtest.c:776:9
+    ...
+```
+Steps to reproduce:
+```
+export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine realview-eb"
+cat << EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio
+clock_step
+clock_step
+writel 0x4e000000 0x2b1e08f5
+writew 0x4e000000 0x2b1e08f5
+writel 0x4e00000c 0x66027d24
+clock_step
+readb 0x4e000000
+writel 0x4e000008 0x238e1f29
+writew 0x4e000000 0x41d9fe3b
+writel 0x4e00000c 0x27022a2d
+clock_step
+readw 0x4e000004
+clock_step
+readb 0x4e000008
+clock_step
+writew 0x4e000000 0x620c5fdf
+EOF
+```
+Additional information:
+