From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:53635)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SRoEO-0006XE-Qq
	for qemu-devel@nongnu.org; Tue, 08 May 2012 13:29:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SRoEN-0001Rg-10
	for qemu-devel@nongnu.org; Tue, 08 May 2012 13:29:48 -0400
Received: from mail-gg0-f173.google.com ([209.85.161.173]:51301)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SRoEM-0001RP-Sj
	for qemu-devel@nongnu.org; Tue, 08 May 2012 13:29:46 -0400
Received: by ggnp1 with SMTP id p1so1404462ggn.4
	for <qemu-devel@nongnu.org>; Tue, 08 May 2012 10:29:45 -0700 (PDT)
Message-ID: <4FA95806.4020206@codemonkey.ws>
Date: Tue, 08 May 2012 12:29:42 -0500
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
References: <1336069935-2106-1-git-send-email-peter.maydell@linaro.org>
In-Reply-To: <1336069935-2106-1-git-send-email-peter.maydell@linaro.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH for-1.1] user-exec.c: Don't assert on
 segfaults for non-valid addresses
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Riku Voipio <riku.voipio@iki.fi>, qemu-devel@nongnu.org, patches@linaro.org, Alexander Graf <agraf@suse.de>

On 05/03/2012 01:32 PM, Peter Maydell wrote:
> h2g() will assert if passed an address that's not a valid guest address,
> so handle_cpu_signal() needs to check before passing "data address
> which caused a segfault" to it, since for a misbehaving guest
> that could be anything. If the address isn't a valid guest address
> then we can simply skip the attempt to unprotect a guest page
> which was made read-only to catch self-modifying code.
>
> This assertion probably fires more readily now than it used to
> do because of recent changes to default to reserving guest address
> space.
>
> Signed-off-by: Peter Maydell<peter.maydell@linaro.org>

Applied.  Thanks.

Regards,

Anthony Liguori

> ---
> I've tentatively marked this as for-1.1 as it's pretty safe, although
> it doesn't buy you a great deal: misbehaving guest binaries will
> die cleanly with a segfault rather than qemu asserting and then
> locking up (assert() in qemu's linux-user code doesn't really behave
> very nicely...)
>
>   user-exec.c |    3 ++-
>   1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/user-exec.c b/user-exec.c
> index be6bc4f..d8c2ad9 100644
> --- a/user-exec.c
> +++ b/user-exec.c
> @@ -97,7 +97,8 @@ static inline int handle_cpu_signal(uintptr_t pc, unsigned long address,
>                   pc, address, is_write, *(unsigned long *)old_set);
>   #endif
>       /* XXX: locking issue */
> -    if (is_write&&  page_unprotect(h2g(address), pc, puc)) {
> +    if (is_write&&  h2g_valid(address)
> +&&  page_unprotect(h2g(address), pc, puc)) {
>           return 1;
>       }
>