On 5/11/20 8:19 AM, Philippe Mathieu-Daudé wrote:
On 5/11/20 6:59 AM, Alexander Bulekov wrote:
Hello,
While fuzzing, I found an input that triggers an assertion failure in
mch_update_pciexbar:
#6 0x7f38d387c55a in abort
/build/glibc-GwnBeO/glibc-2.30/stdlib/abort.c:79:7
#7 0x55c27e94ffd0 in mch_update_pciexbar hw/pci-host/q35.c:331:9
#8 0x55c27e94db38 in mch_write_config hw/pci-host/q35.c:487:9
#9 0x55c27e9e3f4c in pci_host_config_write_common hw/pci/pci_host.c:81:5
#10 0x55c27e9e5307 in pci_data_write hw/pci/pci_host.c:118:5
#11 0x55c27e9e6601 in pci_host_data_write hw/pci/pci_host.c:165:9
#12 0x55c27ca3b17b in memory_region_write_accessor memory.c:496:5
#13 0x55c27ca3a5e4 in access_with_adjusted_size memory.c:557:18
#14 0x55c27ca38177 in memory_region_dispatch_write memory.c:1488:16
#15 0x55c27c721325 in flatview_write_continue exec.c:3174:23
#16 0x55c27c70994d in flatview_write exec.c:3214:14
#17 0x55c27c709462 in address_space_write exec.c:3305:18
These lines don't match QEMU v5.0.0.
I can reproduce it in a qemu 5.0 build using:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386
-M pc-q35-5.0 -display none -nodefaults -nographic -qtest stdio
outl 0xcf8 0xf2000060
outl 0xcfc 0x8400056e
The guest shouldn't ask for a reserved bar length (grep for
MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_RVD). I suppose we should simply report
it as GUEST_ERROR and ignore it.
This patch prevent the crash:
-- >8 --
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 2bbc90b28f..2b744aca93 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -36,6 +36,7 @@
#include "qapi/error.h"
#include "qapi/visitor.h"
#include "qemu/module.h"
+#include "qemu/log.h"
/****************************************************************************
* Q35 host
@@ -320,6 +321,9 @@ static void mch_update_pciexbar(MCHPCIState *mch)
addr_mask |= MCH_HOST_BRIDGE_PCIEXBAR_64ADMSK;
break;
case MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_RVD:
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid use of reserved
value\n",
+ __func__);
+ return;
default:
abort();
}