diff options
Diffstat (limited to 'results/classifier/105/other/1713825')
| -rw-r--r-- | results/classifier/105/other/1713825 | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/results/classifier/105/other/1713825 b/results/classifier/105/other/1713825 new file mode 100644 index 00000000..d487186a --- /dev/null +++ b/results/classifier/105/other/1713825 @@ -0,0 +1,107 @@ +other: 0.975 +graphic: 0.963 +semantic: 0.959 +assembly: 0.929 +instruction: 0.927 +device: 0.925 +network: 0.908 +boot: 0.877 +socket: 0.877 +mistranslation: 0.823 +vnc: 0.796 +KVM: 0.790 + +Booting Windows 2016 with qxl video crashes qemu + +launched from libvirt. + +qemu version: 2.9.0 +host: Linux <hostname> 4.9.34-gentoo #1 SMP Sat Jul 29 13:28:43 PDT 2017 x86_64 Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz GenuineIntel GNU/Linux +guest: Windows 2016 64 bit + +Thread 28 (Thread 0x7f0e2edff700 (LWP 29860)): +#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 + set = {__val = {18446744067266837079, 139698892694944, 139699853745096, 139700858749789, 4222451712, 139694281220640, 139694281220741, 139694281220640, 139694281220640, 139694281220810, + 139694281220940, 139694281220640, 139694281220940, 0, 0, 0}} + pid = <optimized out> + tid = <optimized out> +#1 0x00007f0ea40b644a in __GI_abort () at abort.c:89 + save_stage = 2 + act = {__sigaction_handler = {sa_handler = 0x7f0e2edfe5c0, sa_sigaction = 0x7f0e2edfe5c0}, sa_mask = {__val = {139694281219872, 139698106269697, 139698892695344, 4, 2676511744, 0, 139698892695144, 0, + 139698892694912, 1, 4737316546111099904, 139700859888720, 4737316546111099904, 139700862161824, 139700911349760, 94211934977482}}, sa_flags = 416, + sa_restorer = 0x55af6ceb0500 <__PRETTY_FUNCTION__.36381>} + sigs = {__val = {32, 0 <repeats 15 times>}} +#2 0x00007f0ea40abab6 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", + file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, + function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:92 + str = 0x7f0d1c026220 "\340r\002\034\r\177" + total = 4096 +#3 0x00007f0ea40abb81 in __GI___assert_fail (assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", + file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, + function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:101 +No locals. +#4 0x000055af6cc58805 in qxl_ram_set_dirty (qxl=<optimized out>, ptr=<optimized out>) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:416 + base = <optimized out> + offset = <optimized out> + qxl = <optimized out> + ptr = <optimized out> + base = <optimized out> + offset = <optimized out> +#5 0x000055af6cc5b9e2 in interface_release_resource (sin=0x55af71a91ed0, ext=...) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:767 + qxl = 0x55af71a91450 + ring = <optimized out> + item = <optimized out> + id = 18446690739814400920 + __func__ = "interface_release_resource" +#6 0x00007f0ea510afa8 in red_drawable_unref (red_drawable=0x7f0d1c026120) at red-worker.c:101 +No locals. +#7 0x00007f0ea510b609 in red_drawable_unref (red_drawable=<optimized out>) at red-worker.c:104 +No locals. +#8 0x00007f0ea510eae9 in drawable_unref (drawable=drawable@entry=0x7f0e68285ac0) at display-channel.c:1438 + display = 0x55af71dbd3c0 + __FUNCTION__ = "drawable_unref" +#9 0x00007f0ea51109f7 in draw_until (display=display@entry=0x55af71dbd3c0, surface=surface@entry=0x7f0e6828aae8, last=0x7f0e68285ac0) at display-channel.c:1637 + container = 0x0 + now = 0x7f0e68285ac0 +#10 0x00007f0ea510f93f in display_channel_draw (display=0x55af71dbd3c0, area=0x7f0e2edfe8e0, surface_id=<optimized out>) at display-channel.c:1729 + surface = 0x7f0e6828aae8 + last = <optimized out> + __FUNCTION__ = "display_channel_draw" + __func__ = "display_channel_draw" + +I reproduce it on 2.10.0 + +Hi Maciej, + Can you clarify: + a) What version of the qxl drivers you have installed in windows + b) Does it crash immediately or only when you do something specific? + c) Can you give the qemu command line and/or libvirt xml + d) What resolution have you got the guest set at? + e) What version are your spice-server libraries at? + +Sorry - email with reply got misdirected in inbox: + +a) qxldod.sys 02/20/2017,10.0.0.16000 +b) Immediately during boot. I assume during loading the driver +c) Attached working configuration. For repro I change cirrus to qxl and delete arguments to have defaults set by libvirt. +d) 1920x1080 I think. I cannot double check as it, well, crashes +e) 0.13.90 + +Doesn't reproduce. It's a newer driver though (10.0.0.18000). +Does updating the driver help? + +It helps but I'm quite sure that lower level security systems (guest) should never be able to crash higher level security systems (hypervisor). + +PS. It repros in 2.10.0 as well. + +Guest triggerable assert() isn't exactly nice indeed. +But it's not a show stopper. +It doesn't allow exploiting the host, the guest can only DoS itself. +And you must be priviledged in the guest to do so. + +Most likely this is the driver placing the qxl commands in the wrong pci bar. See commit 86dbcdd9c7590d06db89ca256c5eaf0b4aba8858. Seems the impact is more than breaking live migration. So, I can raise a error irq and have qxl enter guest bug mode. That doesn't improve the situation much though, the guest will continue running but you will have broken display ... + +Does this issue still persist with the latest version of QEMU/libvirt/qxl-drivers ? + +[Expired for QEMU because there has been no activity for 60 days.] + |