| Message ID | 20161018115057.20669-1-marcandre.lureau@redhat.com |
|---|---|
| State | New |
| Headers | show |
On 18 October 2016 at 12:50, Marc-André Lureau <marcandre.lureau@redhat.com> wrote: > ASAN complains about buffer overflow when running: > aarch64-softmmu/qemu-system-aarch64 -machine xilinx-zynq-a9 > > ==476==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000035e38 at pc 0x000000f75253 bp 0x7ffc597e0ec0 sp 0x7ffc597e0eb0 > READ of size 8 at 0x602000035e38 thread T0 > #0 0xf75252 in xilinx_spips_realize hw/ssi/xilinx_spips.c:623 > #1 0xb9ef6c in device_set_realized hw/core/qdev.c:918 > #2 0x129ae01 in property_set_bool qom/object.c:1854 > #3 0x1296e70 in object_property_set qom/object.c:1088 > #4 0x129dd1b in object_property_set_qobject qom/qom-qobject.c:27 > #5 0x1297168 in object_property_set_bool qom/object.c:1157 > #6 0xb9aeac in qdev_init_nofail hw/core/qdev.c:358 > #7 0x78a5bf in zynq_init_spi_flashes /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:125 > #8 0x78af60 in zynq_init /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:238 > #9 0x998eac in main /home/elmarco/src/qemu/vl.c:4534 > #10 0x7f96ed692730 in __libc_start_main (/lib64/libc.so.6+0x20730) > #11 0x41d0a8 in _start (/home/elmarco/src/qemu/aarch64-softmmu/qemu-system-aarch64+0x41d0a8) > > 0x602000035e38 is located 0 bytes to the right of 8-byte region [0x602000035e30,0x602000035e38) > allocated by thread T0 here: > #0 0x7f970b014e60 in malloc (/lib64/libasan.so.3+0xc6e60) > #1 0x7f96f15b0e18 in g_malloc (/lib64/libglib-2.0.so.0+0x4ee18) > #2 0xb9ef6c in device_set_realized hw/core/qdev.c:918 > #3 0x129ae01 in property_set_bool qom/object.c:1854 > #4 0x1296e70 in object_property_set qom/object.c:1088 > #5 0x129dd1b in object_property_set_qobject qom/qom-qobject.c:27 > #6 0x1297168 in object_property_set_bool qom/object.c:1157 > #7 0xb9aeac in qdev_init_nofail hw/core/qdev.c:358 > #8 0x78a5bf in zynq_init_spi_flashes /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:125 > #9 0x78af60 in zynq_init /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:238 > #10 0x998eac in main /home/elmarco/src/qemu/vl.c:4534 > #11 0x7f96ed692730 in __libc_start_main (/lib64/libc.so.6+0x20730) > > s->spi is allocated with the size of num_busses which may be 1 (by > default). > > It looks like ssi_auto_connect_slaves() connects all devices children to > a s->spi bus. Since there can be only one parent bus, remove the second call. > > Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> > --- > hw/ssi/xilinx_spips.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c > index e2b77dc..ab7fa6f 100644 > --- a/hw/ssi/xilinx_spips.c > +++ b/hw/ssi/xilinx_spips.c > @@ -620,7 +620,7 @@ static void xilinx_spips_realize(DeviceState *dev, Error **errp) > > s->cs_lines = g_new0(qemu_irq, s->num_cs * s->num_busses); > ssi_auto_connect_slaves(DEVICE(s), s->cs_lines, s->spi[0]); > - ssi_auto_connect_slaves(DEVICE(s), s->cs_lines, s->spi[1]); As Paolo said this should really be a loop. I'm assuming Paolo's going to take this patch and fix that up. thanks -- PMM
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index e2b77dc..ab7fa6f 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -620,7 +620,7 @@ static void xilinx_spips_realize(DeviceState *dev, Error **errp) s->cs_lines = g_new0(qemu_irq, s->num_cs * s->num_busses); ssi_auto_connect_slaves(DEVICE(s), s->cs_lines, s->spi[0]); - ssi_auto_connect_slaves(DEVICE(s), s->cs_lines, s->spi[1]); + sysbus_init_irq(sbd, &s->irq); for (i = 0; i < s->num_cs * s->num_busses; ++i) { sysbus_init_irq(sbd, &s->cs_lines[i]);
ASAN complains about buffer overflow when running: aarch64-softmmu/qemu-system-aarch64 -machine xilinx-zynq-a9 ==476==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000035e38 at pc 0x000000f75253 bp 0x7ffc597e0ec0 sp 0x7ffc597e0eb0 READ of size 8 at 0x602000035e38 thread T0 #0 0xf75252 in xilinx_spips_realize hw/ssi/xilinx_spips.c:623 #1 0xb9ef6c in device_set_realized hw/core/qdev.c:918 #2 0x129ae01 in property_set_bool qom/object.c:1854 #3 0x1296e70 in object_property_set qom/object.c:1088 #4 0x129dd1b in object_property_set_qobject qom/qom-qobject.c:27 #5 0x1297168 in object_property_set_bool qom/object.c:1157 #6 0xb9aeac in qdev_init_nofail hw/core/qdev.c:358 #7 0x78a5bf in zynq_init_spi_flashes /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:125 #8 0x78af60 in zynq_init /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:238 #9 0x998eac in main /home/elmarco/src/qemu/vl.c:4534 #10 0x7f96ed692730 in __libc_start_main (/lib64/libc.so.6+0x20730) #11 0x41d0a8 in _start (/home/elmarco/src/qemu/aarch64-softmmu/qemu-system-aarch64+0x41d0a8) 0x602000035e38 is located 0 bytes to the right of 8-byte region [0x602000035e30,0x602000035e38) allocated by thread T0 here: #0 0x7f970b014e60 in malloc (/lib64/libasan.so.3+0xc6e60) #1 0x7f96f15b0e18 in g_malloc (/lib64/libglib-2.0.so.0+0x4ee18) #2 0xb9ef6c in device_set_realized hw/core/qdev.c:918 #3 0x129ae01 in property_set_bool qom/object.c:1854 #4 0x1296e70 in object_property_set qom/object.c:1088 #5 0x129dd1b in object_property_set_qobject qom/qom-qobject.c:27 #6 0x1297168 in object_property_set_bool qom/object.c:1157 #7 0xb9aeac in qdev_init_nofail hw/core/qdev.c:358 #8 0x78a5bf in zynq_init_spi_flashes /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:125 #9 0x78af60 in zynq_init /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:238 #10 0x998eac in main /home/elmarco/src/qemu/vl.c:4534 #11 0x7f96ed692730 in __libc_start_main (/lib64/libc.so.6+0x20730) s->spi is allocated with the size of num_busses which may be 1 (by default). It looks like ssi_auto_connect_slaves() connects all devices children to a s->spi bus. Since there can be only one parent bus, remove the second call. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> --- hw/ssi/xilinx_spips.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)