On 2013-02-16 10:20, Tommi Rantala wrote:
> QEMU would occasionally segfault when fuzzing the linux kernel with
> Trinity. Add a read op (copied from hw/kvm/apic.c) to vapic_ops to
> prevent the crash.
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7fffeddcc700 (LWP 15999)]
> 0x0000000000000000 in ?? ()
> (gdb) bt
> #0 0x0000000000000000 in ?? ()
> #1 0x00005555557bbd2d in memory_region_read_accessor (opaque=0x555556be77c8,
> addr=<optimized out>, value=0x7fffeddcbaf0, size=1, shift=0, mask=255) at
> /home/ttrantal/git/qemu/memory.c:316
> #2 0x00005555557bb612 in access_with_adjusted_size (addr=addr@entry=0,
> value=value@entry=0x7fffeddcbaf0, size=1, access_size_min=<optimized
> out>,
> access_size_max=<optimized out>, access=access@entry= 0x5555557bbcd0
> <memory_region_read_accessor>, opaque=opaque@entry=0x555556be77c8) at
> /home/ttrantal/git/qemu/memory.c:364
> #3 0x00005555557bcde8 in memory_region_iorange_read (iorange=0x555556874d90,
> offset=0, width=1, data=0x7fffeddcbaf0) at
> /home/ttrantal/git/qemu/memory.c:409
> #4 0x00005555557b6c37 in ioport_readb_thunk (opaque=<optimized out>,
> addr=<optimized out>) at /home/ttrantal/git/qemu/ioport.c:186
> #5 0x00005555557b74ee in ioport_read (address=0, index=0) at
> /home/ttrantal/git/qemu/ioport.c:70
> #6 cpu_inb (addr=addr@entry=126) at /home/ttrantal/git/qemu/ioport.c:309
> #7 0x00005555557b98a3 in kvm_handle_io (count=1, size=1, direction=0,
> data=<optimized out>, port=126) at /home/ttrantal/git/qemu/kvm-all.c:1414
> #8 kvm_cpu_exec (env=env@entry=0x555556bcc870) at
> /home/ttrantal/git/qemu/kvm-all.c:1581
> #9 0x0000555555763bb1 in qemu_kvm_cpu_thread_fn (arg=0x555556bcc870) at
> /home/ttrantal/git/qemu/cpus.c:759
> #10 0x00007ffff6487d15 in start_thread (arg=0x7fffeddcc700) at
> pthread_create.c:308
> #11 0x00007ffff297946d in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:114
> (gdb)
>
> Signed-off-by: Tommi Rantala <tt.rant...@gmail.com>
> ---
> hw/kvmvapic.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/hw/kvmvapic.c b/hw/kvmvapic.c
> index 1b5f416..d4420fe 100644
> --- a/hw/kvmvapic.c
> +++ b/hw/kvmvapic.c
> @@ -615,6 +615,12 @@ static int vapic_prepare(VAPICROMState *s)
> return 0;
> }
>
> +static uint64_t vapic_read(void *opaque, hwaddr addr,
> + unsigned int size)
> +{
> + return ~(uint64_t)0;
> +}
> +
> static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
> unsigned int size)
> {
> @@ -683,6 +689,7 @@ static void vapic_write(void *opaque, hwaddr addr,
> uint64_t data,
> }
>
> static const MemoryRegionOps vapic_ops = {
> + .read = vapic_read,
> .write = vapic_write,
> .endianness = DEVICE_NATIVE_ENDIAN,
> };
> I'm generally fine with the patch but, to avoid such issues systematically, we should either catch NULL handlers on execution or reject ops registration if there is one. I'm leaning a bit toward the latter as almost any device should require both handlers. Jan
signature.asc
Description: OpenPGP digital signature
