diff for duplicates of <87pn9fqjcd.fsf@linaro.org> diff --git a/a/1.txt b/N1/1.txt index f878a07..87fe3d9 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,4 +1,3 @@ - Philippe Mathieu-Daudé <philmd@redhat.com> writes: > On 7/1/20 3:56 PM, Alex Bennée wrote: @@ -33,3 +32,68 @@ at that bug. -- Alex Bennée + +-- +You received this bug notification because you are a member of qemu- +devel-ml, which is subscribed to QEMU. +https://bugs.launchpad.net/bugs/1878645 + +Title: + null-ptr dereference in ich9_apm_ctrl_changed + +Status in QEMU: + New + +Bug description: + Hello, + While fuzzing, I found an input which triggers a NULL pointer dereference in + tcg_handle_interrupt. It seems the culprint is a "cpu" pointer - maybe this bug + is specific to QTest? + + ==23862==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b4 (pc 0x55b9dc7c9dce bp 0x7ffc346a0900 sp 0x7ffc346a0880 T0) + ==23862==The signal is caused by a READ memory access. + ==23862==Hint: address points to the zero page. + #0 0x55b9dc7c9dce in tcg_handle_interrupt /home/alxndr/Development/qemu/accel/tcg/tcg-all.c:57:21 + #1 0x55b9dc904799 in cpu_interrupt /home/alxndr/Development/qemu/include/hw/core/cpu.h:872:5 + #2 0x55b9dc9085e8 in ich9_apm_ctrl_changed /home/alxndr/Development/qemu/hw/isa/lpc_ich9.c:442:13 + #3 0x55b9dd19cdc8 in apm_ioport_writeb /home/alxndr/Development/qemu/hw/isa/apm.c:50:13 + #4 0x55b9dc73f8b4 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5 + #5 0x55b9dc73f289 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18 + #6 0x55b9dc73ddf5 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16 + #7 0x55b9dc577bf3 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23 + #8 0x55b9dc567ad8 in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14 + #9 0x55b9dc567608 in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18 + #10 0x55b9dc723fe7 in cpu_outb /home/alxndr/Development/qemu/ioport.c:60:5 + #11 0x55b9dc72d3c0 in qtest_process_command /home/alxndr/Development/qemu/qtest.c:392:13 + #12 0x55b9dc72b186 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9 + #13 0x55b9dc72a8b3 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5 + #14 0x55b9ddc6e60b in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9 + #15 0x55b9ddc6e75a in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9 + #16 0x55b9ddc77979 in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9 + #17 0x55b9ddcff0e9 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12 + #18 0x7f7161eac897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897) + #19 0x55b9ddebcb84 in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9 + #20 0x55b9ddebb57d in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5 + #21 0x55b9ddebb176 in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11 + #22 0x55b9dcb4bd1d in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9 + #23 0x55b9ddd1629c in main /home/alxndr/Development/qemu/softmmu/main.c:49:5 + #24 0x7f7160a5ce0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16 + #25 0x55b9dc49c819 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xc9c819) + + + I can reproduce this in qemu 5.0 built with AddressSanitizer using these qtest commands: + + cat << EOF | ./qemu-system-i386 \ + -qtest stdio -nographic -monitor none -serial none \ + -M pc-q35-5.0 + outl 0xcf8 0x8400f841 + outl 0xcfc 0xaa215d6d + outl 0x6d30 0x2ef8ffbe + outb 0xb2 0x20 + EOF + + Please let me know if I can provide any further info. + -Alex + +To manage notifications about this bug go to: +https://bugs.launchpad.net/qemu/+bug/1878645/+subscriptions diff --git a/a/content_digest b/N1/content_digest index a6fb4b7..7831e55 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,21 +1,12 @@ - "ref\020200701135652.1366-1-alex.bennee@linaro.org\0" + "ref\0158947246472.30762.752698283456022174.malonedeb@chaenomeles.canonical.com\0" "ref\020200701135652.1366-2-alex.bennee@linaro.org\0" "ref\085314d31-813a-8c20-7522-5186d5f31884@redhat.com\0" - "From\0Alex Benn\303\251e <alex.bennee@linaro.org>\0" - "Subject\0Re: [PATCH v4 01/40] hw/isa: check for current_cpu before generating IRQ\0" - "Date\0Wed, 01 Jul 2020 17:40:50 +0100\0" - "To\0Philippe Mathieu-Daud\303\251 <philmd@redhat.com>\0" - "Cc\0fam@euphon.net" - berrange@redhat.com - Michael S. Tsirkin <mst@redhat.com> - Bug 1878645 <1878645@bugs.launchpad.net> - richard.henderson@linaro.org - qemu-devel@nongnu.org - cota@braap.org - " aurelien@aurel32.net\0" + "From\0Alex Benn\303\251e <1878645@bugs.launchpad.net>\0" + "Subject\0[Bug 1878645] Re: [PATCH v4 01/40] hw/isa: check for current_cpu before generating IRQ\0" + "Date\0Wed, 01 Jul 2020 16:40:50 -0000\0" + "To\0qemu-devel@nongnu.org\0" "\00:1\0" "b\0" - "\n" "Philippe Mathieu-Daud\303\251 <philmd@redhat.com> writes:\n" "\n" "> On 7/1/20 3:56 PM, Alex Benn\303\251e wrote:\n" @@ -49,6 +40,71 @@ "at that bug.\n" "\n" "-- \n" - "Alex Benn\303\251e" + "Alex Benn\303\251e\n" + "\n" + "-- \n" + "You received this bug notification because you are a member of qemu-\n" + "devel-ml, which is subscribed to QEMU.\n" + "https://bugs.launchpad.net/bugs/1878645\n" + "\n" + "Title:\n" + " null-ptr dereference in ich9_apm_ctrl_changed\n" + "\n" + "Status in QEMU:\n" + " New\n" + "\n" + "Bug description:\n" + " Hello,\n" + " While fuzzing, I found an input which triggers a NULL pointer dereference in\n" + " tcg_handle_interrupt. It seems the culprint is a \"cpu\" pointer - maybe this bug\n" + " is specific to QTest?\n" + "\n" + " ==23862==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b4 (pc 0x55b9dc7c9dce bp 0x7ffc346a0900 sp 0x7ffc346a0880 T0)\n" + " ==23862==The signal is caused by a READ memory access.\n" + " ==23862==Hint: address points to the zero page.\n" + " #0 0x55b9dc7c9dce in tcg_handle_interrupt /home/alxndr/Development/qemu/accel/tcg/tcg-all.c:57:21\n" + " #1 0x55b9dc904799 in cpu_interrupt /home/alxndr/Development/qemu/include/hw/core/cpu.h:872:5\n" + " #2 0x55b9dc9085e8 in ich9_apm_ctrl_changed /home/alxndr/Development/qemu/hw/isa/lpc_ich9.c:442:13\n" + " #3 0x55b9dd19cdc8 in apm_ioport_writeb /home/alxndr/Development/qemu/hw/isa/apm.c:50:13\n" + " #4 0x55b9dc73f8b4 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5\n" + " #5 0x55b9dc73f289 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18\n" + " #6 0x55b9dc73ddf5 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16\n" + " #7 0x55b9dc577bf3 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23\n" + " #8 0x55b9dc567ad8 in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14\n" + " #9 0x55b9dc567608 in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18\n" + " #10 0x55b9dc723fe7 in cpu_outb /home/alxndr/Development/qemu/ioport.c:60:5\n" + " #11 0x55b9dc72d3c0 in qtest_process_command /home/alxndr/Development/qemu/qtest.c:392:13\n" + " #12 0x55b9dc72b186 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9\n" + " #13 0x55b9dc72a8b3 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5\n" + " #14 0x55b9ddc6e60b in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9\n" + " #15 0x55b9ddc6e75a in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9\n" + " #16 0x55b9ddc77979 in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9\n" + " #17 0x55b9ddcff0e9 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12\n" + " #18 0x7f7161eac897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)\n" + " #19 0x55b9ddebcb84 in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9\n" + " #20 0x55b9ddebb57d in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5\n" + " #21 0x55b9ddebb176 in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11\n" + " #22 0x55b9dcb4bd1d in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9\n" + " #23 0x55b9ddd1629c in main /home/alxndr/Development/qemu/softmmu/main.c:49:5\n" + " #24 0x7f7160a5ce0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16\n" + " #25 0x55b9dc49c819 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xc9c819)\n" + "\n" + " \n" + " I can reproduce this in qemu 5.0 built with AddressSanitizer using these qtest commands:\n" + "\n" + " cat << EOF | ./qemu-system-i386 \\\n" + " -qtest stdio -nographic -monitor none -serial none \\\n" + " -M pc-q35-5.0\n" + " outl 0xcf8 0x8400f841\n" + " outl 0xcfc 0xaa215d6d\n" + " outl 0x6d30 0x2ef8ffbe\n" + " outb 0xb2 0x20\n" + " EOF\n" + "\n" + " Please let me know if I can provide any further info.\n" + " -Alex\n" + "\n" + "To manage notifications about this bug go to:\n" + https://bugs.launchpad.net/qemu/+bug/1878645/+subscriptions -52b9c1df4e33d311922b374546a818b33bb43f37aee07f1a63a01561a6fded85 +a9d6a9e81e1a8abbe89a342d2f28abc907e690ff6f3d9ef5f2ec14ef2d686f24
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.