summary refs log tree commit diff stats
path: root/results/classifier/zero-shot/108/other/1880189
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/zero-shot/108/other/1880189')
-rw-r--r--results/classifier/zero-shot/108/other/1880189127
1 files changed, 127 insertions, 0 deletions
diff --git a/results/classifier/zero-shot/108/other/1880189 b/results/classifier/zero-shot/108/other/1880189
new file mode 100644
index 000000000..5be1335a2
--- /dev/null
+++ b/results/classifier/zero-shot/108/other/1880189
@@ -0,0 +1,127 @@
+other: 0.939
+permissions: 0.922
+files: 0.922
+debug: 0.922
+vnc: 0.921
+device: 0.920
+KVM: 0.917
+performance: 0.913
+semantic: 0.912
+boot: 0.911
+graphic: 0.909
+network: 0.904
+socket: 0.895
+PID: 0.889
+
+I/O writes make cirrus_invalidate_region() crash
+
+As of commit d19f1ab0, LLVM libFuzzer found:
+
+qemu-fuzz-i386: hw/display/cirrus_vga.c:646: void cirrus_invalidate_region(CirrusVGAState *, int, int, int, int): Assertion `off_cur_end >= off_cur' failed.
+==1336555== ERROR: libFuzzer: deadly signal
+    #0 0xaaaaaf943ce4 in __sanitizer_print_stack_trace
+    #1 0xaaaaaf899474 in fuzzer::PrintStackTrace()
+    #2 0xaaaaaf884c80 in fuzzer::Fuzzer::CrashCallback()
+    #3 0xffff9b4e8568  (linux-vdso.so.1+0x568)
+    #4 0xffff99ac406c in __libc_signal_restore_set /build/glibc-w4ZToO/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
+    #5 0xffff99ac406c in raise /build/glibc-w4ZToO/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
+    #6 0xffff99ab0d64 in abort /build/glibc-w4ZToO/glibc-2.31/stdlib/abort.c:79:7
+    #7 0xffff99abd5d8 in __assert_fail_base /build/glibc-w4ZToO/glibc-2.31/assert/assert.c:92:3
+    #8 0xffff99abd640 in __assert_fail /build/glibc-w4ZToO/glibc-2.31/assert/assert.c:101:3
+    #9 0xaaaab040768c in cirrus_invalidate_region
+    #10 0xaaaab0405404 in cirrus_bitblt_solidfill
+    #11 0xaaaab0402a88 in cirrus_bitblt_start
+    #12 0xaaaab04046a8 in cirrus_write_bitblt
+    #13 0xaaaab0400db4 in cirrus_vga_write_gr
+    #14 0xaaaab03fd33c in cirrus_vga_ioport_write
+    #15 0xaaaaafb41674 in memory_region_write_accessor
+    #16 0xaaaaafb411ec in access_with_adjusted_size
+    #17 0xaaaaafb40180 in memory_region_dispatch_write
+    #18 0xaaaaaf995dfc in flatview_write_continue
+    #19 0xaaaaaf985bd8 in flatview_write
+    #20 0xaaaaaf98574c in address_space_write
+    #21 0xaaaab110510c in ioport_fuzz_qtest
+    #22 0xaaaab1103a48 in i440fx_fuzz_qtest
+    #23 0xaaaab11010d8 in LLVMFuzzerTestOneInput
+
+Reproducer:
+
+qemu-system-i386 -M isapc,accel=qtest -vga cirrus -qtest stdio << 'EOF'
+outl 0x03b1 0x2fdc1001
+outb 0x03cc 0xe
+outb 0x03cc 0xe
+outb 0x03cc 0x2f
+outb 0x03cc 0xe
+outb 0x03cc 0x2f
+outb 0x03cc 0xe
+outl 0x03cc 0xedc100e
+outb 0x03cc 0x2f
+outl 0x03cc 0xe24f40e
+outl 0x03cc 0x2f23dc12
+outl 0x03cc 0xe23f40e
+outl 0x03cc 0xe31dc12
+outb 0x03cc 0x2f
+outl 0x03cc 0xe2af40e
+outl 0x03cc 0x2f235612
+outl 0x03cc 0xe23f40e
+outl 0x03cc 0xe31dc12
+outb 0x03cc 0x2f
+outl 0x03cc 0x2fdcf40e
+outb 0x03cc 0xe
+outl 0x03cc 0xedc100e
+outb 0x03cc 0x2f
+outl 0x03cc 0xe24f40e
+outl 0x03cc 0xe23dc12
+outb 0x03cc 0x2f
+outl 0x03cc 0xedc100e
+outl 0x03cc 0x2fdc400e
+outb 0x03cc 0xe
+outl 0x03cc 0xe130100e
+outb 0x03cc 0x2f
+outl 0x03cc 0xe23f40e
+outl 0x03cc 0xe31dc12
+outb 0x03cc 0x2f
+outl 0x03cc 0xe33f40e
+outl 0x03cc 0xdc235612
+outb 0x03cc 0xe
+outl 0x03cc 0x2fdc400e
+outb 0x03cc 0xe
+outl 0x03cc 0xfb24100e
+outb 0x03cc 0x2f
+outl 0x03cc 0xdc10dc0e
+outl 0x03cc 0x2f31dc12
+outl 0x03cc 0xe23f40e
+outl 0x03cc 0xe31dc12
+outb 0x03cc 0x2f
+outl 0x03cc 0xe23f40e
+outl 0x03cc 0xe31dc12
+outb 0x03cc 0x2f
+outl 0x03cc 0x1021f40e
+EOF
+qemu-system-i386: hw/display/cirrus_vga.c:645: cirrus_invalidate_region: Assertion `off_cur_end >= off_cur' failed.
+Aborted (core dumped)
+
+(gdb) bt
+#0  0x00007f1d019fee35 in raise () at /lib64/libc.so.6
+#1  0x00007f1d019e9895 in abort () at /lib64/libc.so.6
+#2  0x00007f1d019e9769 in _nl_load_domain.cold () at /lib64/libc.so.6
+#3  0x00007f1d019f7566 in annobin_assert.c_end () at /lib64/libc.so.6
+#4  0x00005645cb447a37 in cirrus_invalidate_region (s=0x5645cd237540, off_begin=2097204, off_pitch=251, bytesperline=1, lines=7169) at hw/display/cirrus_vga.c:645
+#5  0x00005645cb447cc8 in cirrus_bitblt_solidfill (s=0x5645cd237540, blt_rop=0) at hw/display/cirrus_vga.c:704
+#6  0x00005645cb448886 in cirrus_bitblt_start (s=0x5645cd237540) at hw/display/cirrus_vga.c:1005
+#7  0x00005645cb448dd1 in cirrus_write_bitblt (s=0x5645cd237540, reg_value=47) at hw/display/cirrus_vga.c:1090
+#8  0x00005645cb449b02 in cirrus_vga_write_gr (s=0x5645cd237540, reg_index=49, reg_value=47) at hw/display/cirrus_vga.c:1593
+#9  0x00005645cb44bb2f in cirrus_vga_ioport_write (opaque=0x5645cd237540, addr=975, val=47, size=1) at hw/display/cirrus_vga.c:2686
+#10 0x00005645cb1e0d6e in memory_region_write_accessor (mr=0x5645cd247f10, addr=31, value=0x7fff178d6c18, size=1, shift=24, mask=255, attrs=...) at memory.c:483
+#11 0x00005645cb1e0f7f in access_with_adjusted_size (addr=28, value=0x7fff178d6c18, size=4, access_size_min=1, access_size_max=1, access_fn=
+    0x5645cb1e0c8b <memory_region_write_accessor>, mr=0x5645cd247f10, attrs=...) at memory.c:544
+#12 0x00005645cb1e3e9d in memory_region_dispatch_write (mr=0x5645cd247f10, addr=28, data=791796754, op=MO_32, attrs=...) at memory.c:1476
+#13 0x00005645cb1845e5 in flatview_write_continue (fv=0x5645cd65e510, addr=972, attrs=..., ptr=0x7fff178d6da4, len=4, addr1=28, l=4, mr=0x5645cd247f10) at exec.c:3137
+#14 0x00005645cb18472a in flatview_write (fv=0x5645cd65e510, addr=972, attrs=..., buf=0x7fff178d6da4, len=4) at exec.c:3177
+#15 0x00005645cb184a7d in address_space_write (as=0x5645cbd7bb20 <address_space_io>, addr=972, attrs=..., buf=0x7fff178d6da4, len=4) at exec.c:3268
+#16 0x00005645cb1db385 in cpu_outl (addr=972, val=791796754) at ioport.c:80
+
+Making this bug public as secalert@ said "if an unprivileged guest user can not trigger it, it can be treated as a normal bug".
+
+Fixed in commit 5fcf787582dd911df3a971718010bfca5a20e61d
+