[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] kvmvapic: add read operation to the MemoryRegio
From: |
Jan Kiszka |
Subject: |
Re: [Qemu-devel] [PATCH] kvmvapic: add read operation to the MemoryRegionOps to fix segfault |
Date: |
Mon, 18 Feb 2013 09:35:11 +0100 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 |
On 2013-02-16 10:20, Tommi Rantala wrote:
> QEMU would occasionally segfault when fuzzing the linux kernel with
> Trinity. Add a read op (copied from hw/kvm/apic.c) to vapic_ops to
> prevent the crash.
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7fffeddcc700 (LWP 15999)]
> 0x0000000000000000 in ?? ()
> (gdb) bt
> #0 0x0000000000000000 in ?? ()
> #1 0x00005555557bbd2d in memory_region_read_accessor (opaque=0x555556be77c8,
> addr=<optimized out>, value=0x7fffeddcbaf0, size=1, shift=0, mask=255) at
> /home/ttrantal/git/qemu/memory.c:316
> #2 0x00005555557bb612 in access_with_adjusted_size (address@hidden,
> address@hidden, size=1, access_size_min=<optimized out>,
> access_size_max=<optimized out>, address@hidden 0x5555557bbcd0
> <memory_region_read_accessor>, address@hidden) at
> /home/ttrantal/git/qemu/memory.c:364
> #3 0x00005555557bcde8 in memory_region_iorange_read (iorange=0x555556874d90,
> offset=0, width=1, data=0x7fffeddcbaf0) at
> /home/ttrantal/git/qemu/memory.c:409
> #4 0x00005555557b6c37 in ioport_readb_thunk (opaque=<optimized out>,
> addr=<optimized out>) at /home/ttrantal/git/qemu/ioport.c:186
> #5 0x00005555557b74ee in ioport_read (address=0, index=0) at
> /home/ttrantal/git/qemu/ioport.c:70
> #6 cpu_inb (address@hidden) at /home/ttrantal/git/qemu/ioport.c:309
> #7 0x00005555557b98a3 in kvm_handle_io (count=1, size=1, direction=0,
> data=<optimized out>, port=126) at /home/ttrantal/git/qemu/kvm-all.c:1414
> #8 kvm_cpu_exec (address@hidden) at
> /home/ttrantal/git/qemu/kvm-all.c:1581
> #9 0x0000555555763bb1 in qemu_kvm_cpu_thread_fn (arg=0x555556bcc870) at
> /home/ttrantal/git/qemu/cpus.c:759
> #10 0x00007ffff6487d15 in start_thread (arg=0x7fffeddcc700) at
> pthread_create.c:308
> #11 0x00007ffff297946d in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:114
> (gdb)
>
> Signed-off-by: Tommi Rantala <address@hidden>
> ---
> hw/kvmvapic.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/hw/kvmvapic.c b/hw/kvmvapic.c
> index 1b5f416..d4420fe 100644
> --- a/hw/kvmvapic.c
> +++ b/hw/kvmvapic.c
> @@ -615,6 +615,12 @@ static int vapic_prepare(VAPICROMState *s)
> return 0;
> }
>
> +static uint64_t vapic_read(void *opaque, hwaddr addr,
> + unsigned int size)
> +{
> + return ~(uint64_t)0;
> +}
> +
> static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
> unsigned int size)
> {
> @@ -683,6 +689,7 @@ static void vapic_write(void *opaque, hwaddr addr,
> uint64_t data,
> }
>
> static const MemoryRegionOps vapic_ops = {
> + .read = vapic_read,
> .write = vapic_write,
> .endianness = DEVICE_NATIVE_ENDIAN,
> };
>
I'm generally fine with the patch but, to avoid such issues
systematically, we should either catch NULL handlers on execution or
reject ops registration if there is one. I'm leaning a bit toward the
latter as almost any device should require both handlers.
Jan
signature.asc
Description: OpenPGP digital signature