From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12C22C433DB for ; Tue, 9 Mar 2021 14:23:15 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6790964F2D for ; Tue, 9 Mar 2021 14:23:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6790964F2D Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:55872 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lJdGT-0006cM-Dm for qemu-devel@archiver.kernel.org; Tue, 09 Mar 2021 09:23:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:37972) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lJdB2-0001Ne-Ha for qemu-devel@nongnu.org; Tue, 09 Mar 2021 09:17:36 -0500 Received: from mail-wm1-x32e.google.com ([2a00:1450:4864:20::32e]:51748) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lJdB0-0001ic-Qn for qemu-devel@nongnu.org; Tue, 09 Mar 2021 09:17:36 -0500 Received: by mail-wm1-x32e.google.com with SMTP id l22so2074385wme.1 for ; Tue, 09 Mar 2021 06:17:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=nN/o3NC1BjCVaVugecWZFPBtRdcQ9Jd3TS2cKRxBLsA=; b=Psti3gEGTHOBatFrhi4usMelQDLv5p8QRvNUVI/4Uoae3py2vs0WNWnGKO/nPJWwGm fSFSvl4Wf6kgg/LCrzn6tQMNHbqv4U2OfSPobYy5r5VCtsDvfBQ6ouoZqmG9ixhIx1cm 4qx83HoQ7fjQDSuK1qq3w5UEPZZFx7XvQIyiNhsUP4l9iLamqrrvPbsWJ5qHPF+pRRlo mYv1wpajO6eViNo/iac3GoKje1tbICYAl8ed7MdRF7+UHFk4SQdbqBFaplXClBwKzsGN BMPn9SGGsWCdjIJ0rZktraW0rHVZPAUZxyEuSB41OniVQFzlRyPGAYzyCCzAcZx2NY5m I8/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=nN/o3NC1BjCVaVugecWZFPBtRdcQ9Jd3TS2cKRxBLsA=; b=RGvaz88DW0K3UYJtyiVQwFozdYT9C711UU2KvZTU23Ak9YK3vVIAjj0zbS/YeHS7SG wUYe0+uzGpEbAd8garQ+G+t/lhUrMOgyFN6OJcW08bTnHcVt9A6/d/GtsSqgBqXL0An3 jh1a3EwOp4UAidU0jWwkjIta9oye11Oltdnd1I2jC5Y1kEVcIlq9rTS/aa47NzIibizX WhB+0GOMISTQBLBNU58W6BGDt9ovI01aOXUpetsueZ2DQLs2tNCZpf6E1l40xyU3/kZM XvSius3EF8vBANvaXArMXkHSQwjvfhpPEUOair8fRtiuN7CszB2RVplTIJCKTaA3MyvW TynA== X-Gm-Message-State: AOAM533vcxAMvzK7/bKZ+bfZ3qPr4qwNV7PfCFN7X8yjmPL+LY1J/xQI DcB3HHqwxXOEwipHTsOqk+l0uQ== X-Google-Smtp-Source: ABdhPJzO+tvxGegk80s1X5KlUsYXn7t8Lnib0hp0VfXOCz1DZ80zXK+eotHW9jiopzxWXu0O8d2UUg== X-Received: by 2002:a05:600c:4ba2:: with SMTP id e34mr4308715wmp.121.1615299453372; Tue, 09 Mar 2021 06:17:33 -0800 (PST) Received: from zen.linaroharston ([51.148.130.216]) by smtp.gmail.com with ESMTPSA id f22sm4147037wmc.33.2021.03.09.06.17.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Mar 2021 06:17:31 -0800 (PST) Received: from zen.lan (localhost [127.0.0.1]) by zen.linaroharston (Postfix) with ESMTP id 5CB931FF8F; Tue, 9 Mar 2021 14:17:28 +0000 (GMT) From: =?UTF-8?q?Alex=20Benn=C3=A9e?= To: qemu-devel@nongnu.org Subject: [PATCH v2 3/4] semihosting/arm-compat-semi: deref parameter register for SYS_HEAPINFO Date: Tue, 9 Mar 2021 14:17:26 +0000 Message-Id: <20210309141727.12522-4-alex.bennee@linaro.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210309141727.12522-1-alex.bennee@linaro.org> References: <20210309141727.12522-1-alex.bennee@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::32e; envelope-from=alex.bennee@linaro.org; helo=mail-wm1-x32e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bug 1915925 <1915925@bugs.launchpad.net>, keithp@keithp.com, =?UTF-8?q?Alex=20Benn=C3=A9e?= Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" As per the spec: the PARAMETER REGISTER contains the address of a pointer to a four-field data block. So we need to follow the pointer and place the results of SYS_HEAPINFO there. Bug: https://bugs.launchpad.net/bugs/1915925 Cc: Bug 1915925 <1915925@bugs.launchpad.net> Cc: Keith Packard Signed-off-by: Alex Bennée --- semihosting/arm-compat-semi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/semihosting/arm-compat-semi.c b/semihosting/arm-compat-semi.c index 733eea1e2d..2ac9226d29 100644 --- a/semihosting/arm-compat-semi.c +++ b/semihosting/arm-compat-semi.c @@ -1210,6 +1210,8 @@ target_ulong do_common_semihosting(CPUState *cs) retvals[2] = rambase + limit; /* Stack base */ retvals[3] = rambase; /* Stack limit. */ #endif + /* The result array is pointed to by arg0 */ + args = arg0; for (i = 0; i < ARRAY_SIZE(retvals); i++) { bool fail; -- 2.20.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A40BBC433E0 for ; Tue, 9 Mar 2021 14:27:49 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id F1D53651B2 for ; Tue, 9 Mar 2021 14:27:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org F1D53651B2 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bugs.launchpad.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:44208 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lJdKt-0005TJ-UJ for qemu-devel@archiver.kernel.org; Tue, 09 Mar 2021 09:27:47 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:41494) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lJdIu-0002jx-Fr for qemu-devel@nongnu.org; Tue, 09 Mar 2021 09:25:45 -0500 Received: from indium.canonical.com ([91.189.90.7]:49580) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lJdIs-0005U8-Hv for qemu-devel@nongnu.org; Tue, 09 Mar 2021 09:25:44 -0500 Received: from loganberry.canonical.com ([91.189.90.37]) by indium.canonical.com with esmtp (Exim 4.86_2 #2 (Debian)) id 1lJdIq-0002CZ-SX for ; Tue, 09 Mar 2021 14:25:40 +0000 Received: from loganberry.canonical.com (localhost [127.0.0.1]) by loganberry.canonical.com (Postfix) with ESMTP id D36592E8157 for ; Tue, 9 Mar 2021 14:25:40 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Date: Tue, 09 Mar 2021 14:17:26 -0000 From: =?utf-8?q?Alex_Benn=C3=A9e?= <1915925@bugs.launchpad.net> To: qemu-devel@nongnu.org X-Launchpad-Notification-Type: bug X-Launchpad-Bug: product=qemu; status=Confirmed; importance=Undecided; assignee=alex.bennee@linaro.org; X-Launchpad-Bug-Tags: semihosting testcase X-Launchpad-Bug-Information-Type: Public X-Launchpad-Bug-Private: no X-Launchpad-Bug-Security-Vulnerability: no X-Launchpad-Bug-Commenters: ajbennee inver7 keithp pmaydell X-Launchpad-Bug-Reporter: iNvEr7 (inver7) X-Launchpad-Bug-Modifier: =?utf-8?q?Alex_Benn=C3=A9e_=28ajbennee=29?= References: <161356438332.24036.4652954745285513495.malonedeb@chaenomeles.canonical.com> Message-ID: <20210309141727.12522-4-alex.bennee@linaro.org> Subject: [Bug 1915925] [PATCH v2 3/4] semihosting/arm-compat-semi: deref parameter register for SYS_HEAPINFO X-Launchpad-Message-Rationale: Subscriber (QEMU) @qemu-devel-ml X-Launchpad-Message-For: qemu-devel-ml Precedence: bulk X-Generated-By: Launchpad (canonical.com); Revision="7100fef41f9a5d5fd53de99e6c59312f81a744cf"; Instance="production" X-Launchpad-Hash: 5076f7a8da93011408e7e0b31d042d7234ca4774 Received-SPF: none client-ip=91.189.90.7; envelope-from=bounces@canonical.com; helo=indium.canonical.com X-Spam_score_int: -65 X-Spam_score: -6.6 X-Spam_bar: ------ X-Spam_report: (-6.6 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Bug 1915925 <1915925@bugs.launchpad.net> Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Message-ID: <20210309141726.gyhKqZ-mduRB07G4niebi7djztZYv24KzuIm6isSlRs@z> As per the spec: the PARAMETER REGISTER contains the address of a pointer to a four-field data block. So we need to follow the pointer and place the results of SYS_HEAPINFO there. Bug: https://bugs.launchpad.net/bugs/1915925 Cc: Bug 1915925 <1915925@bugs.launchpad.net> Cc: Keith Packard Signed-off-by: Alex Benn=C3=A9e --- semihosting/arm-compat-semi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/semihosting/arm-compat-semi.c b/semihosting/arm-compat-semi.c index 733eea1e2d..2ac9226d29 100644 --- a/semihosting/arm-compat-semi.c +++ b/semihosting/arm-compat-semi.c @@ -1210,6 +1210,8 @@ target_ulong do_common_semihosting(CPUState *cs) retvals[2] =3D rambase + limit; /* Stack base */ retvals[3] =3D rambase; /* Stack limit. */ #endif + /* The result array is pointed to by arg0 */ + args =3D arg0; = for (i =3D 0; i < ARRAY_SIZE(retvals); i++) { bool fail; -- = 2.20.1 -- = You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1915925 Title: ARM semihosting HEAPINFO results wrote to wrong address Status in QEMU: Confirmed Bug description: This affects latest development branch of QEMU. According to the ARM spec of the HEAPINFO semihosting call: https://developer.arm.com/documentation/100863/0300/Semihosting- operations/SYS-HEAPINFO--0x16-?lang=3Den > the PARAMETER REGISTER contains the address of a pointer to a four- field data block. However, QEMU treated the PARAMETER REGISTER as pointing to a four- field data block directly. Here is a simple program that can demonstrate this problem: https://github.com/iNvEr7/qemu-learn/tree/newlib-bug/semihosting- newlib This code links with newlib with semihosting mode, which will call the HEAPINFO SVC during crt0 routine. When running in QEMU (make run), it may crash the program either because of invalid write or memory curruption, depending on the compiled program structure. Also refer to my discussion with newlib folks: https://sourceware.org/pipermail/newlib/2021/018260.html To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1915925/+subscriptions