* [Qemu-devel] [Bug 1813201] [NEW] QEMU TCG i386 / x86_64 system emulation crash when executing int instruction
@ 2019-01-24 19:53 Alberto Ortega
2019-01-30 18:06 ` halfdog
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Alberto Ortega @ 2019-01-24 19:53 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
QEMU version:
-------------
qemu from git, master branch commit
d058a37a6e8daa8d71a6f2b613eb415b69363755
Release versions are also affected.
Summary:
--------
QEMU i386 and x86_64 system emulation crash when executing the following
"int" instruction:
cd08 int 8
This generates a kernel NULL pointer dereference error in Linux, and a
BSOD error in Windows.
No special permissions are required to execute the instruction, any
unprivileged user can execute it.
This issue has been reproduced in QEMU running in TCG mode. KVM is not
affected.
Kernel panic log:
[ 111.091138] BUG: unable to handle kernel NULL pointer dereference at 00000014
[ 111.092145] IP: [<ce0513ad>] doublefault_fn+0xd/0x130
[ 111.092145] *pdpt = 0000000000000000 *pde = f000ff53f000ff53 [ 111.092145]
[ 111.092145] Oops: 0000 [#1] SMP
[ 111.092145] Modules linked in: kvm_amd bochs_drm ppdev ttm drm_kms_helper drm kvm irqbypass evdev pcspkr serio_raw sg parport_pc parport button ip_tables x_tables autofs4 ext4 crc16 jbd2 crc32c_generic fscrypto ecb xts lrw gf128mul ablk_helper cryptd aes_i586 mbcache sr_mod sd_mod cdrom ata_generic ata_piix libata psmouse e1000 scsi_mod i2c_piix4 floppy
[ 111.092145] CPU: 0 PID: 409 Comm: int8.elf Not tainted 4.9.0-8-686-pae #1 Debian 4.9.130-2
[ 111.092145] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
[ 111.092145] task: f6c88a80 task.stack: f6e52000
[ 111.092145] EIP: 0060:[<ce0513ad>] EFLAGS: 00004086 CPU: 0
[ 111.092145] EIP is at doublefault_fn+0xd/0x130
[ 111.092145] EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
[ 111.092145] ESI: 00000000 EDI: 00000000 EBP: ce8f13fc ESP: ce8f13d4
[ 111.092145] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 111.092145] CR0: 8005003b CR2: 00000014 CR3: 0e8e1000 CR4: 000006f0
[ 111.092145] Stack:
[ 111.092145] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 111.092145] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 111.092145] 00000000 00000000 00000000 00000000 fed00000 ce474ad0 00000000 00017d78
[ 111.092145] Call Trace:
[ 111.092145] Code: 86 fd ff eb a3 89 f6 8d bc 27 00 00 00 00 55 89 e5 3e 8d 74 26 00 5d e9 e2 79 fd ff 66 90 55 89 e5 56 53 83 ec 20 3e 8d 74 26 00 <65> a1 14 00 00 00 89 45 f4 31 c0 31 c0 c7 45 f0 00 00 00 00 66
[ 111.092145] EIP: [<ce0513ad>] [ 111.092145] doublefault_fn+0xd/0x130
[ 111.092145] SS:ESP 0068:ce8f13d4
[ 111.092145] CR2: 0000000000000014
[ 111.092145] ---[ end trace 8afa7884b76cafc1 ]---
Testcase:
---------
void main() {
asm("int $0x8");
}
** Affects: qemu
Importance: Undecided
Status: New
** Tags: tcg
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1813201
Title:
QEMU TCG i386 / x86_64 system emulation crash when executing int
instruction
Status in QEMU:
New
Bug description:
QEMU version:
-------------
qemu from git, master branch commit
d058a37a6e8daa8d71a6f2b613eb415b69363755
Release versions are also affected.
Summary:
--------
QEMU i386 and x86_64 system emulation crash when executing the
following "int" instruction:
cd08 int 8
This generates a kernel NULL pointer dereference error in Linux, and a
BSOD error in Windows.
No special permissions are required to execute the instruction, any
unprivileged user can execute it.
This issue has been reproduced in QEMU running in TCG mode. KVM is not
affected.
Kernel panic log:
[ 111.091138] BUG: unable to handle kernel NULL pointer dereference at 00000014
[ 111.092145] IP: [<ce0513ad>] doublefault_fn+0xd/0x130
[ 111.092145] *pdpt = 0000000000000000 *pde = f000ff53f000ff53 [ 111.092145]
[ 111.092145] Oops: 0000 [#1] SMP
[ 111.092145] Modules linked in: kvm_amd bochs_drm ppdev ttm drm_kms_helper drm kvm irqbypass evdev pcspkr serio_raw sg parport_pc parport button ip_tables x_tables autofs4 ext4 crc16 jbd2 crc32c_generic fscrypto ecb xts lrw gf128mul ablk_helper cryptd aes_i586 mbcache sr_mod sd_mod cdrom ata_generic ata_piix libata psmouse e1000 scsi_mod i2c_piix4 floppy
[ 111.092145] CPU: 0 PID: 409 Comm: int8.elf Not tainted 4.9.0-8-686-pae #1 Debian 4.9.130-2
[ 111.092145] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
[ 111.092145] task: f6c88a80 task.stack: f6e52000
[ 111.092145] EIP: 0060:[<ce0513ad>] EFLAGS: 00004086 CPU: 0
[ 111.092145] EIP is at doublefault_fn+0xd/0x130
[ 111.092145] EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
[ 111.092145] ESI: 00000000 EDI: 00000000 EBP: ce8f13fc ESP: ce8f13d4
[ 111.092145] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 111.092145] CR0: 8005003b CR2: 00000014 CR3: 0e8e1000 CR4: 000006f0
[ 111.092145] Stack:
[ 111.092145] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 111.092145] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 111.092145] 00000000 00000000 00000000 00000000 fed00000 ce474ad0 00000000 00017d78
[ 111.092145] Call Trace:
[ 111.092145] Code: 86 fd ff eb a3 89 f6 8d bc 27 00 00 00 00 55 89 e5 3e 8d 74 26 00 5d e9 e2 79 fd ff 66 90 55 89 e5 56 53 83 ec 20 3e 8d 74 26 00 <65> a1 14 00 00 00 89 45 f4 31 c0 31 c0 c7 45 f0 00 00 00 00 66
[ 111.092145] EIP: [<ce0513ad>] [ 111.092145] doublefault_fn+0xd/0x130
[ 111.092145] SS:ESP 0068:ce8f13d4
[ 111.092145] CR2: 0000000000000014
[ 111.092145] ---[ end trace 8afa7884b76cafc1 ]---
Testcase:
---------
void main() {
asm("int $0x8");
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1813201/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [Bug 1813201] [NEW] QEMU TCG i386 / x86_64 system emulation crash when executing int instruction
2019-01-24 19:53 [Qemu-devel] [Bug 1813201] [NEW] QEMU TCG i386 / x86_64 system emulation crash when executing int instruction Alberto Ortega
@ 2019-01-30 18:06 ` halfdog
2020-11-21 22:48 ` [Bug 1813201] " Peter Maydell
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: halfdog @ 2019-01-30 18:06 UTC (permalink / raw)
To: Bug 1813201; +Cc: qemu-devel
Alberto Ortega writes:
> Public bug reported:
>
> QEMU version:
> -------------
>
> qemu from git, master branch commit
> d058a37a6e8daa8d71a6f2b613eb415b69363755
>
> Release versions are also affected.
>
> Summary:
> --------
>
> QEMU i386 and x86_64 system emulation crash when executing the following
> "int" instruction:
>
> cd08 int 8
>
> This generates a kernel NULL pointer dereference error in Linux, and a
> BSOD error in Windows.
>
> No special permissions are required to execute the instruction, any
> unprivileged user can execute it.
> ...
Funny. Does Qemu share code with VirtualBox? If so, a similar
missing CPL==0 check was fixed in Virtualbox 7 years ago.
https://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1813201] Re: QEMU TCG i386 / x86_64 system emulation crash when executing int instruction
2019-01-24 19:53 [Qemu-devel] [Bug 1813201] [NEW] QEMU TCG i386 / x86_64 system emulation crash when executing int instruction Alberto Ortega
2019-01-30 18:06 ` halfdog
@ 2020-11-21 22:48 ` Peter Maydell
2021-01-21 18:15 ` Thomas Huth
2021-04-30 7:18 ` Thomas Huth
3 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2020-11-21 22:48 UTC (permalink / raw)
To: qemu-devel
This should be fixed by this patch:
https://patchew.org/QEMU/20201121224445.16236-1-peter.maydell@linaro.org/
** Changed in: qemu
Status: New => In Progress
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1813201
Title:
QEMU TCG i386 / x86_64 system emulation crash when executing int
instruction
Status in QEMU:
In Progress
Bug description:
QEMU version:
-------------
qemu from git, master branch commit
d058a37a6e8daa8d71a6f2b613eb415b69363755
Release versions are also affected.
Summary:
--------
QEMU i386 and x86_64 system emulation crash when executing the
following "int" instruction:
cd08 int 8
This generates a kernel NULL pointer dereference error in Linux, and a
BSOD error in Windows.
No special permissions are required to execute the instruction, any
unprivileged user can execute it.
This issue has been reproduced in QEMU running in TCG mode. KVM is not
affected.
Kernel panic log:
[ 111.091138] BUG: unable to handle kernel NULL pointer dereference at 00000014
[ 111.092145] IP: [<ce0513ad>] doublefault_fn+0xd/0x130
[ 111.092145] *pdpt = 0000000000000000 *pde = f000ff53f000ff53 [ 111.092145]
[ 111.092145] Oops: 0000 [#1] SMP
[ 111.092145] Modules linked in: kvm_amd bochs_drm ppdev ttm drm_kms_helper drm kvm irqbypass evdev pcspkr serio_raw sg parport_pc parport button ip_tables x_tables autofs4 ext4 crc16 jbd2 crc32c_generic fscrypto ecb xts lrw gf128mul ablk_helper cryptd aes_i586 mbcache sr_mod sd_mod cdrom ata_generic ata_piix libata psmouse e1000 scsi_mod i2c_piix4 floppy
[ 111.092145] CPU: 0 PID: 409 Comm: int8.elf Not tainted 4.9.0-8-686-pae #1 Debian 4.9.130-2
[ 111.092145] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
[ 111.092145] task: f6c88a80 task.stack: f6e52000
[ 111.092145] EIP: 0060:[<ce0513ad>] EFLAGS: 00004086 CPU: 0
[ 111.092145] EIP is at doublefault_fn+0xd/0x130
[ 111.092145] EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
[ 111.092145] ESI: 00000000 EDI: 00000000 EBP: ce8f13fc ESP: ce8f13d4
[ 111.092145] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 111.092145] CR0: 8005003b CR2: 00000014 CR3: 0e8e1000 CR4: 000006f0
[ 111.092145] Stack:
[ 111.092145] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 111.092145] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 111.092145] 00000000 00000000 00000000 00000000 fed00000 ce474ad0 00000000 00017d78
[ 111.092145] Call Trace:
[ 111.092145] Code: 86 fd ff eb a3 89 f6 8d bc 27 00 00 00 00 55 89 e5 3e 8d 74 26 00 5d e9 e2 79 fd ff 66 90 55 89 e5 56 53 83 ec 20 3e 8d 74 26 00 <65> a1 14 00 00 00 89 45 f4 31 c0 31 c0 c7 45 f0 00 00 00 00 66
[ 111.092145] EIP: [<ce0513ad>] [ 111.092145] doublefault_fn+0xd/0x130
[ 111.092145] SS:ESP 0068:ce8f13d4
[ 111.092145] CR2: 0000000000000014
[ 111.092145] ---[ end trace 8afa7884b76cafc1 ]---
Testcase:
---------
void main() {
asm("int $0x8");
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1813201/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1813201] Re: QEMU TCG i386 / x86_64 system emulation crash when executing int instruction
2019-01-24 19:53 [Qemu-devel] [Bug 1813201] [NEW] QEMU TCG i386 / x86_64 system emulation crash when executing int instruction Alberto Ortega
2019-01-30 18:06 ` halfdog
2020-11-21 22:48 ` [Bug 1813201] " Peter Maydell
@ 2021-01-21 18:15 ` Thomas Huth
2021-04-30 7:18 ` Thomas Huth
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Huth @ 2021-01-21 18:15 UTC (permalink / raw)
To: qemu-devel
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=3df1a3d070575419859
** Changed in: qemu
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1813201
Title:
QEMU TCG i386 / x86_64 system emulation crash when executing int
instruction
Status in QEMU:
Fix Committed
Bug description:
QEMU version:
-------------
qemu from git, master branch commit
d058a37a6e8daa8d71a6f2b613eb415b69363755
Release versions are also affected.
Summary:
--------
QEMU i386 and x86_64 system emulation crash when executing the
following "int" instruction:
cd08 int 8
This generates a kernel NULL pointer dereference error in Linux, and a
BSOD error in Windows.
No special permissions are required to execute the instruction, any
unprivileged user can execute it.
This issue has been reproduced in QEMU running in TCG mode. KVM is not
affected.
Kernel panic log:
[ 111.091138] BUG: unable to handle kernel NULL pointer dereference at 00000014
[ 111.092145] IP: [<ce0513ad>] doublefault_fn+0xd/0x130
[ 111.092145] *pdpt = 0000000000000000 *pde = f000ff53f000ff53 [ 111.092145]
[ 111.092145] Oops: 0000 [#1] SMP
[ 111.092145] Modules linked in: kvm_amd bochs_drm ppdev ttm drm_kms_helper drm kvm irqbypass evdev pcspkr serio_raw sg parport_pc parport button ip_tables x_tables autofs4 ext4 crc16 jbd2 crc32c_generic fscrypto ecb xts lrw gf128mul ablk_helper cryptd aes_i586 mbcache sr_mod sd_mod cdrom ata_generic ata_piix libata psmouse e1000 scsi_mod i2c_piix4 floppy
[ 111.092145] CPU: 0 PID: 409 Comm: int8.elf Not tainted 4.9.0-8-686-pae #1 Debian 4.9.130-2
[ 111.092145] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
[ 111.092145] task: f6c88a80 task.stack: f6e52000
[ 111.092145] EIP: 0060:[<ce0513ad>] EFLAGS: 00004086 CPU: 0
[ 111.092145] EIP is at doublefault_fn+0xd/0x130
[ 111.092145] EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
[ 111.092145] ESI: 00000000 EDI: 00000000 EBP: ce8f13fc ESP: ce8f13d4
[ 111.092145] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 111.092145] CR0: 8005003b CR2: 00000014 CR3: 0e8e1000 CR4: 000006f0
[ 111.092145] Stack:
[ 111.092145] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 111.092145] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 111.092145] 00000000 00000000 00000000 00000000 fed00000 ce474ad0 00000000 00017d78
[ 111.092145] Call Trace:
[ 111.092145] Code: 86 fd ff eb a3 89 f6 8d bc 27 00 00 00 00 55 89 e5 3e 8d 74 26 00 5d e9 e2 79 fd ff 66 90 55 89 e5 56 53 83 ec 20 3e 8d 74 26 00 <65> a1 14 00 00 00 89 45 f4 31 c0 31 c0 c7 45 f0 00 00 00 00 66
[ 111.092145] EIP: [<ce0513ad>] [ 111.092145] doublefault_fn+0xd/0x130
[ 111.092145] SS:ESP 0068:ce8f13d4
[ 111.092145] CR2: 0000000000000014
[ 111.092145] ---[ end trace 8afa7884b76cafc1 ]---
Testcase:
---------
void main() {
asm("int $0x8");
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1813201/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1813201] Re: QEMU TCG i386 / x86_64 system emulation crash when executing int instruction
2019-01-24 19:53 [Qemu-devel] [Bug 1813201] [NEW] QEMU TCG i386 / x86_64 system emulation crash when executing int instruction Alberto Ortega
` (2 preceding siblings ...)
2021-01-21 18:15 ` Thomas Huth
@ 2021-04-30 7:18 ` Thomas Huth
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Huth @ 2021-04-30 7:18 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1813201
Title:
QEMU TCG i386 / x86_64 system emulation crash when executing int
instruction
Status in QEMU:
Fix Released
Bug description:
QEMU version:
-------------
qemu from git, master branch commit
d058a37a6e8daa8d71a6f2b613eb415b69363755
Release versions are also affected.
Summary:
--------
QEMU i386 and x86_64 system emulation crash when executing the
following "int" instruction:
cd08 int 8
This generates a kernel NULL pointer dereference error in Linux, and a
BSOD error in Windows.
No special permissions are required to execute the instruction, any
unprivileged user can execute it.
This issue has been reproduced in QEMU running in TCG mode. KVM is not
affected.
Kernel panic log:
[ 111.091138] BUG: unable to handle kernel NULL pointer dereference at 00000014
[ 111.092145] IP: [<ce0513ad>] doublefault_fn+0xd/0x130
[ 111.092145] *pdpt = 0000000000000000 *pde = f000ff53f000ff53 [ 111.092145]
[ 111.092145] Oops: 0000 [#1] SMP
[ 111.092145] Modules linked in: kvm_amd bochs_drm ppdev ttm drm_kms_helper drm kvm irqbypass evdev pcspkr serio_raw sg parport_pc parport button ip_tables x_tables autofs4 ext4 crc16 jbd2 crc32c_generic fscrypto ecb xts lrw gf128mul ablk_helper cryptd aes_i586 mbcache sr_mod sd_mod cdrom ata_generic ata_piix libata psmouse e1000 scsi_mod i2c_piix4 floppy
[ 111.092145] CPU: 0 PID: 409 Comm: int8.elf Not tainted 4.9.0-8-686-pae #1 Debian 4.9.130-2
[ 111.092145] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
[ 111.092145] task: f6c88a80 task.stack: f6e52000
[ 111.092145] EIP: 0060:[<ce0513ad>] EFLAGS: 00004086 CPU: 0
[ 111.092145] EIP is at doublefault_fn+0xd/0x130
[ 111.092145] EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
[ 111.092145] ESI: 00000000 EDI: 00000000 EBP: ce8f13fc ESP: ce8f13d4
[ 111.092145] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 111.092145] CR0: 8005003b CR2: 00000014 CR3: 0e8e1000 CR4: 000006f0
[ 111.092145] Stack:
[ 111.092145] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 111.092145] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 111.092145] 00000000 00000000 00000000 00000000 fed00000 ce474ad0 00000000 00017d78
[ 111.092145] Call Trace:
[ 111.092145] Code: 86 fd ff eb a3 89 f6 8d bc 27 00 00 00 00 55 89 e5 3e 8d 74 26 00 5d e9 e2 79 fd ff 66 90 55 89 e5 56 53 83 ec 20 3e 8d 74 26 00 <65> a1 14 00 00 00 89 45 f4 31 c0 31 c0 c7 45 f0 00 00 00 00 66
[ 111.092145] EIP: [<ce0513ad>] [ 111.092145] doublefault_fn+0xd/0x130
[ 111.092145] SS:ESP 0068:ce8f13d4
[ 111.092145] CR2: 0000000000000014
[ 111.092145] ---[ end trace 8afa7884b76cafc1 ]---
Testcase:
---------
void main() {
asm("int $0x8");
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1813201/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-04-30 7:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-24 19:53 [Qemu-devel] [Bug 1813201] [NEW] QEMU TCG i386 / x86_64 system emulation crash when executing int instruction Alberto Ortega
2019-01-30 18:06 ` halfdog
2020-11-21 22:48 ` [Bug 1813201] " Peter Maydell
2021-01-21 18:15 ` Thomas Huth
2021-04-30 7:18 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).