Patchwork kvmvapic: add read operation to the MemoryRegionOps to fix segfault

login
register
mail settings
Submitter Tommi Rantala
Date Feb. 16, 2013, 9:20 a.m.
Message ID <1361006407-12763-1-git-send-email-tt.rantala@gmail.com>
Download mbox | patch
Permalink /patch/221027/
State New
Headers show

Comments

Tommi Rantala - Feb. 16, 2013, 9:20 a.m.
QEMU would occasionally segfault when fuzzing the linux kernel with
Trinity. Add a read op (copied from hw/kvm/apic.c) to vapic_ops to
prevent the crash.

 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0x7fffeddcc700 (LWP 15999)]
 0x0000000000000000 in ?? ()
 (gdb) bt
 #0  0x0000000000000000 in ?? ()
 #1  0x00005555557bbd2d in memory_region_read_accessor (opaque=0x555556be77c8,
     addr=<optimized out>, value=0x7fffeddcbaf0, size=1, shift=0, mask=255) at
     /home/ttrantal/git/qemu/memory.c:316
 #2  0x00005555557bb612 in access_with_adjusted_size (addr=addr@entry=0,
     value=value@entry=0x7fffeddcbaf0, size=1, access_size_min=<optimized out>,
     access_size_max=<optimized out>, access=access@entry= 0x5555557bbcd0
     <memory_region_read_accessor>, opaque=opaque@entry=0x555556be77c8) at
     /home/ttrantal/git/qemu/memory.c:364
 #3  0x00005555557bcde8 in memory_region_iorange_read (iorange=0x555556874d90,
     offset=0, width=1, data=0x7fffeddcbaf0) at /home/ttrantal/git/qemu/memory.c:409
 #4  0x00005555557b6c37 in ioport_readb_thunk (opaque=<optimized out>,
     addr=<optimized out>) at /home/ttrantal/git/qemu/ioport.c:186
 #5  0x00005555557b74ee in ioport_read (address=0, index=0) at
     /home/ttrantal/git/qemu/ioport.c:70
 #6  cpu_inb (addr=addr@entry=126) at /home/ttrantal/git/qemu/ioport.c:309
 #7  0x00005555557b98a3 in kvm_handle_io (count=1, size=1, direction=0,
     data=<optimized out>, port=126) at /home/ttrantal/git/qemu/kvm-all.c:1414
 #8  kvm_cpu_exec (env=env@entry=0x555556bcc870) at
     /home/ttrantal/git/qemu/kvm-all.c:1581
 #9  0x0000555555763bb1 in qemu_kvm_cpu_thread_fn (arg=0x555556bcc870) at
     /home/ttrantal/git/qemu/cpus.c:759
 #10 0x00007ffff6487d15 in start_thread (arg=0x7fffeddcc700) at pthread_create.c:308
 #11 0x00007ffff297946d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:114
 (gdb)

Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
---
 hw/kvmvapic.c | 7 +++++++
 1 file changed, 7 insertions(+)
Jan Kiszka - Feb. 18, 2013, 8:35 a.m.
On 2013-02-16 10:20, Tommi Rantala wrote:
> QEMU would occasionally segfault when fuzzing the linux kernel with
> Trinity. Add a read op (copied from hw/kvm/apic.c) to vapic_ops to
> prevent the crash.
> 
>  Program received signal SIGSEGV, Segmentation fault.
>  [Switching to Thread 0x7fffeddcc700 (LWP 15999)]
>  0x0000000000000000 in ?? ()
>  (gdb) bt
>  #0  0x0000000000000000 in ?? ()
>  #1  0x00005555557bbd2d in memory_region_read_accessor (opaque=0x555556be77c8,
>      addr=<optimized out>, value=0x7fffeddcbaf0, size=1, shift=0, mask=255) at
>      /home/ttrantal/git/qemu/memory.c:316
>  #2  0x00005555557bb612 in access_with_adjusted_size (addr=addr@entry=0,
>      value=value@entry=0x7fffeddcbaf0, size=1, access_size_min=<optimized out>,
>      access_size_max=<optimized out>, access=access@entry= 0x5555557bbcd0
>      <memory_region_read_accessor>, opaque=opaque@entry=0x555556be77c8) at
>      /home/ttrantal/git/qemu/memory.c:364
>  #3  0x00005555557bcde8 in memory_region_iorange_read (iorange=0x555556874d90,
>      offset=0, width=1, data=0x7fffeddcbaf0) at /home/ttrantal/git/qemu/memory.c:409
>  #4  0x00005555557b6c37 in ioport_readb_thunk (opaque=<optimized out>,
>      addr=<optimized out>) at /home/ttrantal/git/qemu/ioport.c:186
>  #5  0x00005555557b74ee in ioport_read (address=0, index=0) at
>      /home/ttrantal/git/qemu/ioport.c:70
>  #6  cpu_inb (addr=addr@entry=126) at /home/ttrantal/git/qemu/ioport.c:309
>  #7  0x00005555557b98a3 in kvm_handle_io (count=1, size=1, direction=0,
>      data=<optimized out>, port=126) at /home/ttrantal/git/qemu/kvm-all.c:1414
>  #8  kvm_cpu_exec (env=env@entry=0x555556bcc870) at
>      /home/ttrantal/git/qemu/kvm-all.c:1581
>  #9  0x0000555555763bb1 in qemu_kvm_cpu_thread_fn (arg=0x555556bcc870) at
>      /home/ttrantal/git/qemu/cpus.c:759
>  #10 0x00007ffff6487d15 in start_thread (arg=0x7fffeddcc700) at pthread_create.c:308
>  #11 0x00007ffff297946d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:114
>  (gdb)
> 
> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
> ---
>  hw/kvmvapic.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/hw/kvmvapic.c b/hw/kvmvapic.c
> index 1b5f416..d4420fe 100644
> --- a/hw/kvmvapic.c
> +++ b/hw/kvmvapic.c
> @@ -615,6 +615,12 @@ static int vapic_prepare(VAPICROMState *s)
>      return 0;
>  }
>  
> +static uint64_t vapic_read(void *opaque, hwaddr addr,
> +                           unsigned int size)
> +{
> +    return ~(uint64_t)0;
> +}
> +
>  static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
>                          unsigned int size)
>  {
> @@ -683,6 +689,7 @@ static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
>  }
>  
>  static const MemoryRegionOps vapic_ops = {
> +    .read = vapic_read,
>      .write = vapic_write,
>      .endianness = DEVICE_NATIVE_ENDIAN,
>  };
> 

I'm generally fine with the patch but, to avoid such issues
systematically, we should either catch NULL handlers on execution or
reject ops registration if there is one. I'm leaning a bit toward the
latter as almost any device should require both handlers.

Jan

Patch

diff --git a/hw/kvmvapic.c b/hw/kvmvapic.c
index 1b5f416..d4420fe 100644
--- a/hw/kvmvapic.c
+++ b/hw/kvmvapic.c
@@ -615,6 +615,12 @@  static int vapic_prepare(VAPICROMState *s)
     return 0;
 }
 
+static uint64_t vapic_read(void *opaque, hwaddr addr,
+                           unsigned int size)
+{
+    return ~(uint64_t)0;
+}
+
 static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
                         unsigned int size)
 {
@@ -683,6 +689,7 @@  static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
 }
 
 static const MemoryRegionOps vapic_ops = {
+    .read = vapic_read,
     .write = vapic_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };