* [Qemu-devel] [PATCH for-1.1] user-exec.c: Don't assert on segfaults for non-valid addresses
@ 2012-05-03 18:32 Peter Maydell
2012-05-03 18:33 ` Alexander Graf
2012-05-08 17:29 ` Anthony Liguori
0 siblings, 2 replies; 3+ messages in thread
From: Peter Maydell @ 2012-05-03 18:32 UTC (permalink / raw)
To: qemu-devel; +Cc: Riku Voipio, Alexander Graf, patches
h2g() will assert if passed an address that's not a valid guest address,
so handle_cpu_signal() needs to check before passing "data address
which caused a segfault" to it, since for a misbehaving guest
that could be anything. If the address isn't a valid guest address
then we can simply skip the attempt to unprotect a guest page
which was made read-only to catch self-modifying code.
This assertion probably fires more readily now than it used to
do because of recent changes to default to reserving guest address
space.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
I've tentatively marked this as for-1.1 as it's pretty safe, although
it doesn't buy you a great deal: misbehaving guest binaries will
die cleanly with a segfault rather than qemu asserting and then
locking up (assert() in qemu's linux-user code doesn't really behave
very nicely...)
user-exec.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/user-exec.c b/user-exec.c
index be6bc4f..d8c2ad9 100644
--- a/user-exec.c
+++ b/user-exec.c
@@ -97,7 +97,8 @@ static inline int handle_cpu_signal(uintptr_t pc, unsigned long address,
pc, address, is_write, *(unsigned long *)old_set);
#endif
/* XXX: locking issue */
- if (is_write && page_unprotect(h2g(address), pc, puc)) {
+ if (is_write && h2g_valid(address)
+ && page_unprotect(h2g(address), pc, puc)) {
return 1;
}
--
1.7.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCH for-1.1] user-exec.c: Don't assert on segfaults for non-valid addresses
2012-05-03 18:32 [Qemu-devel] [PATCH for-1.1] user-exec.c: Don't assert on segfaults for non-valid addresses Peter Maydell
@ 2012-05-03 18:33 ` Alexander Graf
2012-05-08 17:29 ` Anthony Liguori
1 sibling, 0 replies; 3+ messages in thread
From: Alexander Graf @ 2012-05-03 18:33 UTC (permalink / raw)
To: Peter Maydell; +Cc: Riku Voipio, qemu-devel, patches
On 03.05.2012, at 20:32, Peter Maydell wrote:
> h2g() will assert if passed an address that's not a valid guest address,
> so handle_cpu_signal() needs to check before passing "data address
> which caused a segfault" to it, since for a misbehaving guest
> that could be anything. If the address isn't a valid guest address
> then we can simply skip the attempt to unprotect a guest page
> which was made read-only to catch self-modifying code.
>
> This assertion probably fires more readily now than it used to
> do because of recent changes to default to reserving guest address
> space.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Yup, just wrote the same thing a few hours ago.
Acked-by: Alexander Graf <agraf@suse.de>
> ---
> I've tentatively marked this as for-1.1 as it's pretty safe, although
> it doesn't buy you a great deal: misbehaving guest binaries will
> die cleanly with a segfault rather than qemu asserting and then
> locking up (assert() in qemu's linux-user code doesn't really behave
> very nicely...)
It's definitely 1.1 material.
Alex
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCH for-1.1] user-exec.c: Don't assert on segfaults for non-valid addresses
2012-05-03 18:32 [Qemu-devel] [PATCH for-1.1] user-exec.c: Don't assert on segfaults for non-valid addresses Peter Maydell
2012-05-03 18:33 ` Alexander Graf
@ 2012-05-08 17:29 ` Anthony Liguori
1 sibling, 0 replies; 3+ messages in thread
From: Anthony Liguori @ 2012-05-08 17:29 UTC (permalink / raw)
To: Peter Maydell; +Cc: Riku Voipio, qemu-devel, patches, Alexander Graf
On 05/03/2012 01:32 PM, Peter Maydell wrote:
> h2g() will assert if passed an address that's not a valid guest address,
> so handle_cpu_signal() needs to check before passing "data address
> which caused a segfault" to it, since for a misbehaving guest
> that could be anything. If the address isn't a valid guest address
> then we can simply skip the attempt to unprotect a guest page
> which was made read-only to catch self-modifying code.
>
> This assertion probably fires more readily now than it used to
> do because of recent changes to default to reserving guest address
> space.
>
> Signed-off-by: Peter Maydell<peter.maydell@linaro.org>
Applied. Thanks.
Regards,
Anthony Liguori
> ---
> I've tentatively marked this as for-1.1 as it's pretty safe, although
> it doesn't buy you a great deal: misbehaving guest binaries will
> die cleanly with a segfault rather than qemu asserting and then
> locking up (assert() in qemu's linux-user code doesn't really behave
> very nicely...)
>
> user-exec.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/user-exec.c b/user-exec.c
> index be6bc4f..d8c2ad9 100644
> --- a/user-exec.c
> +++ b/user-exec.c
> @@ -97,7 +97,8 @@ static inline int handle_cpu_signal(uintptr_t pc, unsigned long address,
> pc, address, is_write, *(unsigned long *)old_set);
> #endif
> /* XXX: locking issue */
> - if (is_write&& page_unprotect(h2g(address), pc, puc)) {
> + if (is_write&& h2g_valid(address)
> +&& page_unprotect(h2g(address), pc, puc)) {
> return 1;
> }
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-05-08 17:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-05-03 18:32 [Qemu-devel] [PATCH for-1.1] user-exec.c: Don't assert on segfaults for non-valid addresses Peter Maydell
2012-05-03 18:33 ` Alexander Graf
2012-05-08 17:29 ` Anthony Liguori
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).