diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-05-21 21:21:26 +0200 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-05-21 21:21:26 +0200 |
| commit | 4b927bc37359dec23f67d3427fc982945f24f404 (patch) | |
| tree | 245449ef9146942dc7fffd0235b48b7e70a00bf2 /gitlab/issues/target_i386/host_missing/accel_TCG/2180.toml | |
| parent | aa8bd79cec7bf6790ddb01d156c2ef2201abbaab (diff) | |
| download | qemu-analysis-4b927bc37359dec23f67d3427fc982945f24f404.tar.gz qemu-analysis-4b927bc37359dec23f67d3427fc982945f24f404.zip | |
add gitlab issues in toml format
Diffstat (limited to 'gitlab/issues/target_i386/host_missing/accel_TCG/2180.toml')
| -rw-r--r-- | gitlab/issues/target_i386/host_missing/accel_TCG/2180.toml | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/gitlab/issues/target_i386/host_missing/accel_TCG/2180.toml b/gitlab/issues/target_i386/host_missing/accel_TCG/2180.toml new file mode 100644 index 000000000..51070d52c --- /dev/null +++ b/gitlab/issues/target_i386/host_missing/accel_TCG/2180.toml @@ -0,0 +1,44 @@ +id = 2180 +title = "QEMU crashes when an interrupt is triggered whose descriptor is not in physical memory" +state = "closed" +created_at = "2024-02-20T16:08:18.466Z" +closed_at = "2024-03-26T19:46:03.207Z" +labels = ["Closed::Fixed", "accel: TCG", "target: i386"] +url = "https://gitlab.com/qemu-project/qemu/-/issues/2180" +host-os = "Arch Linux" +host-arch = "x86_64" +qemu-version = "8.2.50 (built from Git commit da96ad4a6a2ef26c83b15fa95e7fceef5147269c)" +guest-os = "Custom, see additional information section." +guest-arch = "x86" +description = """When an interrupt is triggered whose descriptor is mapped but not in physical memory, QEMU crashes with the following message: +``` +** +ERROR:../system/cpus.c:524:bql_lock_impl: assertion failed: (!bql_locked()) +Bail out! ERROR:../system/cpus.c:524:bql_lock_impl: assertion failed: (!bql_locked()) +Aborted (core dumped) +``` + +The given code triggers the bug by moving the IDT's base address, but it can also be triggered by any other method of moving the IDT's physical memory location, f.ex paging. With KVM enabled, this specific example loops forever instead of crashing, but if the code is altered to use paging, an internal KVM error is reported and the VM is paused.""" +reproduce = """1. Assemble the code listed below using NASM: `nasm test.asm -o test.bin` +2. Run the code using `qemu-system-i386 -drive format=raw,file=test.bin`. Note that the given code only triggers the bug if the guest has 2 gigabytes or less of physical memory. +3. QEMU crashes.""" +additional = """NASM assembly of the code used: +``` +bits 16 +org 0x7c00 + +_start: + ; Disable interrupts and load new IDT + cli + o32 lidt [idtdesc] + ; Descriptor for INT 0 is in nonexistent physical memory, which crashes QEMU. + int 0x00 + +idtdesc: + dw 0x3ff ; Limit: 1 KiB for IDT + dd 0x80000000 ; Base: 2 GiB + +; Like most BIOSes, SeaBIOS requires this magic number to boot +times 510-($-$$) db 0 +dw 0xaa55 +```""" |