From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFC70C433DF for ; Wed, 1 Jul 2020 18:32:16 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C9FDC207F5 for ; Wed, 1 Jul 2020 18:32:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C9FDC207F5 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bugs.launchpad.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:50386 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jqhWq-0005y7-1q for qemu-devel@archiver.kernel.org; Wed, 01 Jul 2020 14:32:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45626) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jqhVM-0004lo-3i for qemu-devel@nongnu.org; Wed, 01 Jul 2020 14:30:44 -0400 Received: from indium.canonical.com ([91.189.90.7]:41264) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jqhVJ-0004r0-Mq for qemu-devel@nongnu.org; Wed, 01 Jul 2020 14:30:43 -0400 Received: from loganberry.canonical.com ([91.189.90.37]) by indium.canonical.com with esmtp (Exim 4.86_2 #2 (Debian)) id 1jqhVH-0005I6-Nv for ; Wed, 01 Jul 2020 18:30:39 +0000 Received: from loganberry.canonical.com (localhost [127.0.0.1]) by loganberry.canonical.com (Postfix) with ESMTP id 8C9A62E810A for ; Wed, 1 Jul 2020 18:30:39 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Date: Wed, 01 Jul 2020 18:21:00 -0000 From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <1878645@bugs.launchpad.net> To: qemu-devel@nongnu.org X-Launchpad-Notification-Type: bug X-Launchpad-Bug: product=qemu; status=New; importance=Undecided; assignee=None; X-Launchpad-Bug-Information-Type: Public X-Launchpad-Bug-Private: no X-Launchpad-Bug-Security-Vulnerability: no X-Launchpad-Bug-Commenters: a1xndr ajbennee philmd X-Launchpad-Bug-Reporter: Alexander Bulekov (a1xndr) X-Launchpad-Bug-Modifier: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9_=28philmd?= =?utf-8?q?=29?= References: <158947246472.30762.752698283456022174.malonedeb@chaenomeles.canonical.com> Message-ID: <20200701182100.26930-1-philmd@redhat.com> Subject: [Bug 1878645] [RFC PATCH] cpus: Initialize current_cpu with the first vCPU created X-Launchpad-Message-Rationale: Subscriber (QEMU) @qemu-devel-ml X-Launchpad-Message-For: qemu-devel-ml Precedence: bulk X-Generated-By: Launchpad (canonical.com); Revision="1cbd0aa39df153c901321817f9b57cf3f232b507"; Instance="production-secrets-lazr.conf" X-Launchpad-Hash: 4f80d1230d474658b062d2be8b7fc60297f7ae5d Received-SPF: none client-ip=91.189.90.7; envelope-from=bounces@canonical.com; helo=indium.canonical.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/01 10:05:42 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -58 X-Spam_score: -5.9 X-Spam_bar: ----- X-Spam_report: (-5.9 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Bug 1878645 <1878645@bugs.launchpad.net> Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Message-ID: <20200701182100.lhaelPxhUh0DwMFkC4fZXn1OtGen3FOSTUlcu6kOiKo@z> We can run I/O access with the 'i' or 'o' HMP commands in the monitor. These commands are expected to run on a vCPU. The monitor is not a vCPU thread. To avoid crashing, initialize the 'current_cpu' variable with the first vCPU created. The command executed on the monitor will end using it. This fixes: $ cat << EOF| qemu-system-i386 -M q35 -nographic -serial none -monitor st= dio o/4 0xcf8 0x8400f841 o/4 0xcfc 0xaa215d6d o/4 0x6d30 0x2ef8ffbe o/1 0xb2 0x20 EOF Segmentation fault (core dumped) Thread 1 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. 0x00005555558946c7 in tcg_handle_interrupt (cpu=3D0x0, mask=3D64) at acce= l/tcg/tcg-all.c:57 57 old_mask =3D cpu->interrupt_request; (gdb) bt #0 0x00005555558946c7 in tcg_handle_interrupt (cpu=3D0x0, mask=3D64) at = accel/tcg/tcg-all.c:57 #1 0x00005555558ed7d2 in cpu_interrupt (cpu=3D0x0, mask=3D64) at include= /hw/core/cpu.h:877 #2 0x00005555558ee776 in ich9_apm_ctrl_changed (val=3D32, arg=3D0x555556= e2ff50) at hw/isa/lpc_ich9.c:442 #3 0x0000555555b47f96 in apm_ioport_writeb (opaque=3D0x555556e308c0, add= r=3D0, val=3D32, size=3D1) at hw/isa/apm.c:44 #4 0x0000555555879931 in memory_region_write_accessor (mr=3D0x555556e308= e0, addr=3D0, value=3D0x7fffffffb9f8, size=3D1, shift=3D0, mask=3D255, attr= s=3D...) at memory.c:483 #5 0x0000555555879b5a in access_with_adjusted_size (addr=3D0, value=3D0x= 7fffffffb9f8, size=3D4, access_size_min=3D1, access_size_max=3D1, access_fn= =3D 0x55555587984e , mr=3D0x555556e308e0, a= ttrs=3D...) at memory.c:544 #6 0x000055555587ca32 in memory_region_dispatch_write (mr=3D0x555556e308= e0, addr=3D0, data=3D32, op=3DMO_32, attrs=3D...) at memory.c:1465 #7 0x000055555581b7e9 in flatview_write_continue (fv=3D0x55555698a790, a= ddr=3D178, attrs=3D..., ptr=3D0x7fffffffbb84, len=3D4, addr1=3D0, l=3D4, mr= =3D0x555556e308e0) at exec.c:3198 #8 0x000055555581b92e in flatview_write (fv=3D0x55555698a790, addr=3D178= , attrs=3D..., buf=3D0x7fffffffbb84, len=3D4) at exec.c:3238 #9 0x000055555581bc81 in address_space_write (as=3D0x555556441220 , addr=3D178, attrs=3D..., buf=3D0x7fffffffbb84, len=3D4) at ex= ec.c:3329 #10 0x0000555555873f08 in cpu_outl (addr=3D178, val=3D32) at ioport.c:80 #11 0x000055555598a26a in hmp_ioport_write (mon=3D0x5555567621b0, qdict= =3D0x555557702600) at monitor/misc.c:937 #12 0x0000555555c9c5a5 in handle_hmp_command (mon=3D0x5555567621b0, cmdli= ne=3D0x55555676aae1 "/1 0xb2 0x20") at monitor/hmp.c:1082 #13 0x0000555555c99e02 in monitor_command_cb (opaque=3D0x5555567621b0, cm= dline=3D0x55555676aae0 "o/1 0xb2 0x20", readline_opaque=3D0x0) at monitor/h= mp.c:47 ^ HMP command from monitor Reported-by: Alexander Bulekov Buglink: https://bugs.launchpad.net/qemu/+bug/1878645 Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- Cc: Bug 1878645 <1878645@bugs.launchpad.net> RFC because I believe the correct fix is to NOT use current_cpu out of cpus.c, at least use qemu_get_cpu(0) to get the first vCPU. --- cpus.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cpus.c b/cpus.c index 41d1c5099f..1f6f43d221 100644 --- a/cpus.c +++ b/cpus.c @@ -2106,6 +2106,9 @@ void qemu_init_vcpu(CPUState *cpu) { MachineState *ms =3D MACHINE(qdev_get_machine()); = + if (!current_cpu) { + current_cpu =3D cpu; + } cpu->nr_cores =3D ms->smp.cores; cpu->nr_threads =3D ms->smp.threads; cpu->stopped =3D true; -- = 2.21.3 -- = You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1878645 Title: null-ptr dereference in ich9_apm_ctrl_changed Status in QEMU: New Bug description: Hello, While fuzzing, I found an input which triggers a NULL pointer dereference= in tcg_handle_interrupt. It seems the culprint is a "cpu" pointer - maybe th= is bug is specific to QTest? =3D=3D23862=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x00000= 00000b4 (pc 0x55b9dc7c9dce bp 0x7ffc346a0900 sp 0x7ffc346a0880 T0) =3D=3D23862=3D=3DThe signal is caused by a READ memory access. =3D=3D23862=3D=3DHint: address points to the zero page. #0 0x55b9dc7c9dce in tcg_handle_interrupt /home/alxndr/Development/qe= mu/accel/tcg/tcg-all.c:57:21 #1 0x55b9dc904799 in cpu_interrupt /home/alxndr/Development/qemu/incl= ude/hw/core/cpu.h:872:5 #2 0x55b9dc9085e8 in ich9_apm_ctrl_changed /home/alxndr/Development/q= emu/hw/isa/lpc_ich9.c:442:13 #3 0x55b9dd19cdc8 in apm_ioport_writeb /home/alxndr/Development/qemu/= hw/isa/apm.c:50:13 #4 0x55b9dc73f8b4 in memory_region_write_accessor /home/alxndr/Develo= pment/qemu/memory.c:483:5 #5 0x55b9dc73f289 in access_with_adjusted_size /home/alxndr/Developme= nt/qemu/memory.c:544:18 #6 0x55b9dc73ddf5 in memory_region_dispatch_write /home/alxndr/Develo= pment/qemu/memory.c:1476:16 #7 0x55b9dc577bf3 in flatview_write_continue /home/alxndr/Development= /qemu/exec.c:3137:23 #8 0x55b9dc567ad8 in flatview_write /home/alxndr/Development/qemu/exe= c.c:3177:14 #9 0x55b9dc567608 in address_space_write /home/alxndr/Development/qem= u/exec.c:3268:18 #10 0x55b9dc723fe7 in cpu_outb /home/alxndr/Development/qemu/ioport.c= :60:5 #11 0x55b9dc72d3c0 in qtest_process_command /home/alxndr/Development/= qemu/qtest.c:392:13 #12 0x55b9dc72b186 in qtest_process_inbuf /home/alxndr/Development/qe= mu/qtest.c:710:9 #13 0x55b9dc72a8b3 in qtest_read /home/alxndr/Development/qemu/qtest.= c:722:5 #14 0x55b9ddc6e60b in qemu_chr_be_write_impl /home/alxndr/Development= /qemu/chardev/char.c:183:9 #15 0x55b9ddc6e75a in qemu_chr_be_write /home/alxndr/Development/qemu= /chardev/char.c:195:9 #16 0x55b9ddc77979 in fd_chr_read /home/alxndr/Development/qemu/chard= ev/char-fd.c:68:9 #17 0x55b9ddcff0e9 in qio_channel_fd_source_dispatch /home/alxndr/Dev= elopment/qemu/io/channel-watch.c:84:12 #18 0x7f7161eac897 in g_main_context_dispatch (/usr/lib/x86_64-linux-= gnu/libglib-2.0.so.0+0x4e897) #19 0x55b9ddebcb84 in glib_pollfds_poll /home/alxndr/Development/qemu= /util/main-loop.c:219:9 #20 0x55b9ddebb57d in os_host_main_loop_wait /home/alxndr/Development= /qemu/util/main-loop.c:242:5 #21 0x55b9ddebb176 in main_loop_wait /home/alxndr/Development/qemu/ut= il/main-loop.c:518:11 #22 0x55b9dcb4bd1d in qemu_main_loop /home/alxndr/Development/qemu/so= ftmmu/vl.c:1664:9 #23 0x55b9ddd1629c in main /home/alxndr/Development/qemu/softmmu/main= .c:49:5 #24 0x7f7160a5ce0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.3= 0/csu/../csu/libc-start.c:308:16 #25 0x55b9dc49c819 in _start (/home/alxndr/Development/qemu/build/i38= 6-softmmu/qemu-system-i386+0xc9c819) = I can reproduce this in qemu 5.0 built with AddressSanitizer using these = qtest commands: cat << EOF | ./qemu-system-i386 \ -qtest stdio -nographic -monitor none -serial none \ -M pc-q35-5.0 outl 0xcf8 0x8400f841 outl 0xcfc 0xaa215d6d outl 0x6d30 0x2ef8ffbe outb 0xb2 0x20 EOF Please let me know if I can provide any further info. -Alex To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1878645/+subscriptions