qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] kvmvapic: add read operation to the MemoryRegio

From: Jan Kiszka
Subject: Re: [Qemu-devel] [PATCH] kvmvapic: add read operation to the MemoryRegionOps to fix segfault
Date: Mon, 18 Feb 2013 09:35:11 +0100
User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 
On 2013-02-16 10:20, Tommi Rantala wrote:
> QEMU would occasionally segfault when fuzzing the linux kernel with
> Trinity. Add a read op (copied from hw/kvm/apic.c) to vapic_ops to
> prevent the crash.
> 
>  Program received signal SIGSEGV, Segmentation fault.
>  [Switching to Thread 0x7fffeddcc700 (LWP 15999)]
>  0x0000000000000000 in ?? ()
>  (gdb) bt
>  #0  0x0000000000000000 in ?? ()
>  #1  0x00005555557bbd2d in memory_region_read_accessor (opaque=0x555556be77c8,
>      addr=<optimized out>, value=0x7fffeddcbaf0, size=1, shift=0, mask=255) at
>      /home/ttrantal/git/qemu/memory.c:316
>  #2  0x00005555557bb612 in access_with_adjusted_size (address@hidden,
>      address@hidden, size=1, access_size_min=<optimized out>,
>      access_size_max=<optimized out>, address@hidden 0x5555557bbcd0
>      <memory_region_read_accessor>, address@hidden) at
>      /home/ttrantal/git/qemu/memory.c:364
>  #3  0x00005555557bcde8 in memory_region_iorange_read (iorange=0x555556874d90,
>      offset=0, width=1, data=0x7fffeddcbaf0) at 
> /home/ttrantal/git/qemu/memory.c:409
>  #4  0x00005555557b6c37 in ioport_readb_thunk (opaque=<optimized out>,
>      addr=<optimized out>) at /home/ttrantal/git/qemu/ioport.c:186
>  #5  0x00005555557b74ee in ioport_read (address=0, index=0) at
>      /home/ttrantal/git/qemu/ioport.c:70
>  #6  cpu_inb (address@hidden) at /home/ttrantal/git/qemu/ioport.c:309
>  #7  0x00005555557b98a3 in kvm_handle_io (count=1, size=1, direction=0,
>      data=<optimized out>, port=126) at /home/ttrantal/git/qemu/kvm-all.c:1414
>  #8  kvm_cpu_exec (address@hidden) at
>      /home/ttrantal/git/qemu/kvm-all.c:1581
>  #9  0x0000555555763bb1 in qemu_kvm_cpu_thread_fn (arg=0x555556bcc870) at
>      /home/ttrantal/git/qemu/cpus.c:759
>  #10 0x00007ffff6487d15 in start_thread (arg=0x7fffeddcc700) at 
> pthread_create.c:308
>  #11 0x00007ffff297946d in clone () at 
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:114
>  (gdb)
> 
> Signed-off-by: Tommi Rantala <address@hidden>
> ---
>  hw/kvmvapic.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/hw/kvmvapic.c b/hw/kvmvapic.c
> index 1b5f416..d4420fe 100644
> --- a/hw/kvmvapic.c
> +++ b/hw/kvmvapic.c
> @@ -615,6 +615,12 @@ static int vapic_prepare(VAPICROMState *s)
>      return 0;
>  }
>  
> +static uint64_t vapic_read(void *opaque, hwaddr addr,
> +                           unsigned int size)
> +{
> +    return ~(uint64_t)0;
> +}
> +
>  static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
>                          unsigned int size)
>  {
> @@ -683,6 +689,7 @@ static void vapic_write(void *opaque, hwaddr addr, 
> uint64_t data,
>  }
>  
>  static const MemoryRegionOps vapic_ops = {
> +    .read = vapic_read,
>      .write = vapic_write,
>      .endianness = DEVICE_NATIVE_ENDIAN,
>  };
> 

I'm generally fine with the patch but, to avoid such issues
systematically, we should either catch NULL handlers on execution or
reject ops registration if there is one. I'm leaning a bit toward the
latter as almost any device should require both handlers.

Jan

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]