1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
|
ARM Highbank Crashes Realted to GIC
Hello,
Here are some QTest reproducers for crashes on ARM Highbank that all seem to be related to the gic device.
Reproducer 1:
cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
-nographic -monitor none -serial none -qtest stdio
writel 0xfff11f00 0x8405f559
writel 0xfff117fd 0x5c057bd8
EOF
==10595==ERROR: AddressSanitizer: SEGV on unknown address 0x62b000013e01 (pc 0x55b6ab85cc91 bp 0x7fff60bd4d70 sp 0x7fff60bd4ce0 T0)
==10595==The signal is caused by a READ memory access.
#0 0x55b6ab85cc91 in gic_get_current_cpu /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:60:12
#1 0x55b6ab85e1bd in gic_dist_writeb /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1182:11
#2 0x55b6ab855a97 in gic_dist_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1514:9
#3 0x55b6aa1650d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12
#4 0x55b6aa163ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
#5 0x55b6aa161f35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13
#6 0x55b6a9313949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23
#7 0x55b6a92fca11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
#8 0x55b6a92fc54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
=================================================================
Reproducer 2:
cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
-nographic -monitor none -serial none -qtest stdio
writeq 0xfff11f00 0x613a650f0fda6555
EOF
==1375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000001c80 at pc 0x5618928c486e bp 0x7ffe22c4ee10 sp 0x7ffe22c4ee08
READ of size 8 at 0x608000001c80 thread T0
#0 0x5618928c486d in address_space_translate_iommu /home/alxndr/Development/qemu/general-fuzz/exec.c:451:23
#1 0x561892850acc in flatview_do_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:524:16
#2 0x5618928514ad in flatview_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:584:15
#3 0x5618928b1e14 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3199:14
#4 0x56189289aa11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
#5 0x56189289a54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
#6 0x5618937a5e13 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:452:13
#7 0x56189379d89f in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:710:9
#8 0x56189379c680 in qtest_read /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:722:5
=================================================================
Reproducer 3:
cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
-nographic -monitor none -serial none -qtest stdio
writeq 0xfff11000 0x700000b
writeq 0xfff11f00 0x4f4f4fff54a7afaf
writel 0xfff10100 0x600001ff
EOF
==23743==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006a92 at pc 0x55d690d980e1 bp 0x7ffe606082d0 sp 0x7ffe606082c8
READ of size 1 at 0x62b000006a92 thread T0
#0 0x55d690d980e0 in gic_get_best_irq /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:94:13
#1 0x55d690d9485b in gic_update_internal /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:185:13
#2 0x55d690d90376 in gic_update /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:226:5
#3 0x55d690dc0879 in gic_cpu_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1758:9
#4 0x55d690da41c0 in gic_thiscpu_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1777:12
#5 0x55d68f6b30d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12
#6 0x55d68f6b1ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
#7 0x55d68f6aff35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13
#8 0x55d68e861949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23
#9 0x55d68e84aa11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
#10 0x55d68e84a54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
#11 0x55d68f755537 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:447:13
#12 0x55d68f74d89f in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:710:9
#13 0x55d68f74c680 in qtest_read /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:722:5
#14 0x55d692dddc36 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/chardev/char.c:188:9
#15 0x55d692dddd79 in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/chardev/char.c:200:9
#16 0x55d692df105e in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/chardev/char-fd.c:68:9
#17 0x55d692f395df in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/io/channel-watch.c:84:12
#18 0x7f69a1b50897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#19 0x55d6932f5c83 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:217:9
#20 0x55d6932f35b6 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:240:5
#21 0x55d6932f2f97 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:516:11
#22 0x55d68f76c62d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/softmmu/vl.c:1676:9
#23 0x55d692f6f20c in main /home/alxndr/Development/qemu/general-fuzz/softmmu/main.c:49:5
#24 0x7f69a06d6e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#25 0x55d68e753459 in _start (/home/alxndr/Development/qemu/general-fuzz/build/arm-softmmu/qemu-system-arm+0x3254459)
0x62b000006a92 is located 2 bytes to the right of 26768-byte region [0x62b000000200,0x62b000006a90)
allocated by thread T0 here:
#0 0x55d68e7cbe4d in malloc (/home/alxndr/Development/qemu/general-fuzz/build/arm-softmmu/qemu-system-arm+0x32cce4d)
#1 0x7f69a1b56500 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)
#2 0x55d69254f231 in object_new /home/alxndr/Development/qemu/general-fuzz/qom/object.c:708:12
#3 0x55d69034bf01 in qdev_new /home/alxndr/Development/qemu/general-fuzz/hw/core/qdev.c:136:12
#4 0x55d68f2b7aa4 in calxeda_init /home/alxndr/Development/qemu/general-fuzz/hw/arm/highbank.c:319:15
#5 0x55d68f2b6466 in highbank_init /home/alxndr/Development/qemu/general-fuzz/hw/arm/highbank.c:411:5
#6 0x55d6903d43f1 in machine_run_board_init /home/alxndr/Development/qemu/general-fuzz/hw/core/machine.c:1134:5
#7 0x55d68f77e0ee in qemu_init /home/alxndr/Development/qemu/general-fuzz/softmmu/vl.c:4356:5
#8 0x55d692f6f207 in main /home/alxndr/Development/qemu/general-fuzz/softmmu/main.c:48:5
#9 0x7f69a06d6e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
Let me know if I can provide any further info.
-Alex
Why put all these bugs in the same ticket?
For reproducer #2:
writeq 0xfff11f00 0x613a650f0fda6555 does:
gic_dist_write dist write at 0x00000f00 size 4: 0x0fda6555
0x0fda6555 => IRQ 341, mask type 3 illegal -> DPRINTF("Bad Soft Int target filter\n");
mask = ALL_CPU_MASK = 0xff
Having:
#define GIC_NR_SGIS 16
uint8_t sgi_pending[GIC_NR_SGIS][GIC_NCPU];
s->sgi_pending[irq][target_cpu] |= (1 << cpu);
^^^
\ OOB access.
I haven't looked at reproducer #1, but is it a fuzzer-specific variant of LP:1602247 (trying to read the "for this CPU" registers from something other than a CPU doesn't work) ?
On 200730 1531, Philippe Mathieu-Daudé wrote:
> Why put all these bugs in the same ticket?
Thought they might have a similar root cause, though that is evidently
wrong..
> For reproducer #2:
>
> writeq 0xfff11f00 0x613a650f0fda6555 does:
>
> gic_dist_write dist write at 0x00000f00 size 4: 0x0fda6555
>
> 0x0fda6555 => IRQ 341, mask type 3 illegal -> DPRINTF("Bad Soft Int
> target filter\n");
>
> mask = ALL_CPU_MASK = 0xff
>
> Having:
>
> #define GIC_NR_SGIS 16
> uint8_t sgi_pending[GIC_NR_SGIS][GIC_NCPU];
>
> s->sgi_pending[irq][target_cpu] |= (1 << cpu);
> ^^^
> \ OOB access.
>
> ** Changed in: qemu
> Status: New => Confirmed
>
> ** Tags added: arm
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1889621
>
> Title:
> ARM Highbank Crashes Realted to GIC
>
> Status in QEMU:
> Confirmed
>
> Bug description:
> Hello,
> Here are some QTest reproducers for crashes on ARM Highbank that all seem to be related to the gic device.
>
> Reproducer 1:
> cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
> -nographic -monitor none -serial none -qtest stdio
> writel 0xfff11f00 0x8405f559
> writel 0xfff117fd 0x5c057bd8
> EOF
>
> ==10595==ERROR: AddressSanitizer: SEGV on unknown address 0x62b000013e01 (pc 0x55b6ab85cc91 bp 0x7fff60bd4d70 sp 0x7fff60bd4ce0 T0)
> ==10595==The signal is caused by a READ memory access.
> #0 0x55b6ab85cc91 in gic_get_current_cpu /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:60:12
> #1 0x55b6ab85e1bd in gic_dist_writeb /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1182:11
> #2 0x55b6ab855a97 in gic_dist_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1514:9
> #3 0x55b6aa1650d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12
> #4 0x55b6aa163ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
> #5 0x55b6aa161f35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13
> #6 0x55b6a9313949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23
> #7 0x55b6a92fca11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
> #8 0x55b6a92fc54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
> =================================================================
>
> Reproducer 2:
> cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
> -nographic -monitor none -serial none -qtest stdio
> writeq 0xfff11f00 0x613a650f0fda6555
> EOF
>
> ==1375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000001c80 at pc 0x5618928c486e bp 0x7ffe22c4ee10 sp 0x7ffe22c4ee08
> READ of size 8 at 0x608000001c80 thread T0
> #0 0x5618928c486d in address_space_translate_iommu /home/alxndr/Development/qemu/general-fuzz/exec.c:451:23
> #1 0x561892850acc in flatview_do_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:524:16
> #2 0x5618928514ad in flatview_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:584:15
> #3 0x5618928b1e14 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3199:14
> #4 0x56189289aa11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
> #5 0x56189289a54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
> #6 0x5618937a5e13 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:452:13
> #7 0x56189379d89f in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:710:9
> #8 0x56189379c680 in qtest_read /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:722:5
> =================================================================
>
> Reproducer 3:
> cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
> -nographic -monitor none -serial none -qtest stdio
> writeq 0xfff11000 0x700000b
> writeq 0xfff11f00 0x4f4f4fff54a7afaf
> writel 0xfff10100 0x600001ff
> EOF
>
> ==23743==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006a92 at pc 0x55d690d980e1 bp 0x7ffe606082d0 sp 0x7ffe606082c8
> READ of size 1 at 0x62b000006a92 thread T0
> #0 0x55d690d980e0 in gic_get_best_irq /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:94:13
> #1 0x55d690d9485b in gic_update_internal /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:185:13
> #2 0x55d690d90376 in gic_update /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:226:5
> #3 0x55d690dc0879 in gic_cpu_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1758:9
> #4 0x55d690da41c0 in gic_thiscpu_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1777:12
> #5 0x55d68f6b30d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12
> #6 0x55d68f6b1ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
> #7 0x55d68f6aff35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13
> #8 0x55d68e861949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23
> #9 0x55d68e84aa11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
> #10 0x55d68e84a54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
> #11 0x55d68f755537 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:447:13
> #12 0x55d68f74d89f in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:710:9
> #13 0x55d68f74c680 in qtest_read /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:722:5
> #14 0x55d692dddc36 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/chardev/char.c:188:9
> #15 0x55d692dddd79 in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/chardev/char.c:200:9
> #16 0x55d692df105e in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/chardev/char-fd.c:68:9
> #17 0x55d692f395df in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/io/channel-watch.c:84:12
> #18 0x7f69a1b50897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
> #19 0x55d6932f5c83 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:217:9
> #20 0x55d6932f35b6 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:240:5
> #21 0x55d6932f2f97 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:516:11
> #22 0x55d68f76c62d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/softmmu/vl.c:1676:9
> #23 0x55d692f6f20c in main /home/alxndr/Development/qemu/general-fuzz/softmmu/main.c:49:5
> #24 0x7f69a06d6e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
> #25 0x55d68e753459 in _start (/home/alxndr/Development/qemu/general-fuzz/build/arm-softmmu/qemu-system-arm+0x3254459)
>
> 0x62b000006a92 is located 2 bytes to the right of 26768-byte region [0x62b000000200,0x62b000006a90)
> allocated by thread T0 here:
> #0 0x55d68e7cbe4d in malloc (/home/alxndr/Development/qemu/general-fuzz/build/arm-softmmu/qemu-system-arm+0x32cce4d)
> #1 0x7f69a1b56500 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)
> #2 0x55d69254f231 in object_new /home/alxndr/Development/qemu/general-fuzz/qom/object.c:708:12
> #3 0x55d69034bf01 in qdev_new /home/alxndr/Development/qemu/general-fuzz/hw/core/qdev.c:136:12
> #4 0x55d68f2b7aa4 in calxeda_init /home/alxndr/Development/qemu/general-fuzz/hw/arm/highbank.c:319:15
> #5 0x55d68f2b6466 in highbank_init /home/alxndr/Development/qemu/general-fuzz/hw/arm/highbank.c:411:5
> #6 0x55d6903d43f1 in machine_run_board_init /home/alxndr/Development/qemu/general-fuzz/hw/core/machine.c:1134:5
> #7 0x55d68f77e0ee in qemu_init /home/alxndr/Development/qemu/general-fuzz/softmmu/vl.c:4356:5
> #8 0x55d692f6f207 in main /home/alxndr/Development/qemu/general-fuzz/softmmu/main.c:48:5
> #9 0x7f69a06d6e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
>
>
> Let me know if I can provide any further info.
> -Alex
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1889621/+subscriptions
On 200730 1550, Peter Maydell wrote:
> I haven't looked at reproducer #1, but is it a fuzzer-specific variant
> of LP:1602247 (trying to read the "for this CPU" registers from
> something other than a CPU doesn't work) ?
That was my initial suspicion as well, but it looks like the SEGV
happens here:
if (s->num_cpu > 1) {
rather than here:
return current_cpu->cpu_index;
-Alex
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1889621
>
> Title:
> ARM Highbank Crashes Realted to GIC
>
> Status in QEMU:
> Confirmed
>
> Bug description:
> Hello,
> Here are some QTest reproducers for crashes on ARM Highbank that all seem to be related to the gic device.
>
> Reproducer 1:
> cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
> -nographic -monitor none -serial none -qtest stdio
> writel 0xfff11f00 0x8405f559
> writel 0xfff117fd 0x5c057bd8
> EOF
>
> ==10595==ERROR: AddressSanitizer: SEGV on unknown address 0x62b000013e01 (pc 0x55b6ab85cc91 bp 0x7fff60bd4d70 sp 0x7fff60bd4ce0 T0)
> ==10595==The signal is caused by a READ memory access.
> #0 0x55b6ab85cc91 in gic_get_current_cpu /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:60:12
> #1 0x55b6ab85e1bd in gic_dist_writeb /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1182:11
> #2 0x55b6ab855a97 in gic_dist_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1514:9
> #3 0x55b6aa1650d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12
> #4 0x55b6aa163ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
> #5 0x55b6aa161f35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13
> #6 0x55b6a9313949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23
> #7 0x55b6a92fca11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
> #8 0x55b6a92fc54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
> =================================================================
>
> Reproducer 2:
> cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
> -nographic -monitor none -serial none -qtest stdio
> writeq 0xfff11f00 0x613a650f0fda6555
> EOF
>
> ==1375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000001c80 at pc 0x5618928c486e bp 0x7ffe22c4ee10 sp 0x7ffe22c4ee08
> READ of size 8 at 0x608000001c80 thread T0
> #0 0x5618928c486d in address_space_translate_iommu /home/alxndr/Development/qemu/general-fuzz/exec.c:451:23
> #1 0x561892850acc in flatview_do_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:524:16
> #2 0x5618928514ad in flatview_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:584:15
> #3 0x5618928b1e14 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3199:14
> #4 0x56189289aa11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
> #5 0x56189289a54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
> #6 0x5618937a5e13 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:452:13
> #7 0x56189379d89f in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:710:9
> #8 0x56189379c680 in qtest_read /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:722:5
> =================================================================
>
> Reproducer 3:
> cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
> -nographic -monitor none -serial none -qtest stdio
> writeq 0xfff11000 0x700000b
> writeq 0xfff11f00 0x4f4f4fff54a7afaf
> writel 0xfff10100 0x600001ff
> EOF
>
> ==23743==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006a92 at pc 0x55d690d980e1 bp 0x7ffe606082d0 sp 0x7ffe606082c8
> READ of size 1 at 0x62b000006a92 thread T0
> #0 0x55d690d980e0 in gic_get_best_irq /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:94:13
> #1 0x55d690d9485b in gic_update_internal /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:185:13
> #2 0x55d690d90376 in gic_update /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:226:5
> #3 0x55d690dc0879 in gic_cpu_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1758:9
> #4 0x55d690da41c0 in gic_thiscpu_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1777:12
> #5 0x55d68f6b30d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12
> #6 0x55d68f6b1ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
> #7 0x55d68f6aff35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13
> #8 0x55d68e861949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23
> #9 0x55d68e84aa11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
> #10 0x55d68e84a54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
> #11 0x55d68f755537 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:447:13
> #12 0x55d68f74d89f in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:710:9
> #13 0x55d68f74c680 in qtest_read /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:722:5
> #14 0x55d692dddc36 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/chardev/char.c:188:9
> #15 0x55d692dddd79 in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/chardev/char.c:200:9
> #16 0x55d692df105e in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/chardev/char-fd.c:68:9
> #17 0x55d692f395df in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/io/channel-watch.c:84:12
> #18 0x7f69a1b50897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
> #19 0x55d6932f5c83 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:217:9
> #20 0x55d6932f35b6 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:240:5
> #21 0x55d6932f2f97 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:516:11
> #22 0x55d68f76c62d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/softmmu/vl.c:1676:9
> #23 0x55d692f6f20c in main /home/alxndr/Development/qemu/general-fuzz/softmmu/main.c:49:5
> #24 0x7f69a06d6e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
> #25 0x55d68e753459 in _start (/home/alxndr/Development/qemu/general-fuzz/build/arm-softmmu/qemu-system-arm+0x3254459)
>
> 0x62b000006a92 is located 2 bytes to the right of 26768-byte region [0x62b000000200,0x62b000006a90)
> allocated by thread T0 here:
> #0 0x55d68e7cbe4d in malloc (/home/alxndr/Development/qemu/general-fuzz/build/arm-softmmu/qemu-system-arm+0x32cce4d)
> #1 0x7f69a1b56500 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)
> #2 0x55d69254f231 in object_new /home/alxndr/Development/qemu/general-fuzz/qom/object.c:708:12
> #3 0x55d69034bf01 in qdev_new /home/alxndr/Development/qemu/general-fuzz/hw/core/qdev.c:136:12
> #4 0x55d68f2b7aa4 in calxeda_init /home/alxndr/Development/qemu/general-fuzz/hw/arm/highbank.c:319:15
> #5 0x55d68f2b6466 in highbank_init /home/alxndr/Development/qemu/general-fuzz/hw/arm/highbank.c:411:5
> #6 0x55d6903d43f1 in machine_run_board_init /home/alxndr/Development/qemu/general-fuzz/hw/core/machine.c:1134:5
> #7 0x55d68f77e0ee in qemu_init /home/alxndr/Development/qemu/general-fuzz/softmmu/vl.c:4356:5
> #8 0x55d692f6f207 in main /home/alxndr/Development/qemu/general-fuzz/softmmu/main.c:48:5
> #9 0x7f69a06d6e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
>
>
> Let me know if I can provide any further info.
> -Alex
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1889621/+subscriptions
Can you still reproduce one of these issues with the current master branch of QEMU? For me, all three reproduces do not seem to cause any trouble anymore...
I believe these were all taken care of by
edfe2eb436 ("hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register")
09bbdb89bc ("hw/intc/arm_gic: Allow to use QTest without crashing")
Ok, thanks, then let's close this (and open new tickets on gitlab if it happens again)
|