[Qemu-devel] [Bug 1713825] Re: Booting Windows 2016 with qxl video crashes qemu
Guest triggerable assert() isn't exactly nice indeed. But it's not a show stopper. It doesn't allow exploiting the host, the guest can only DoS itself. And you must be priviledged in the guest to do so. Most likely this is the driver placing the qxl commands in the wrong pci bar. See commit 86dbcdd9c7590d06db89ca256c5eaf0b4aba8858. Seems the impact is more than breaking live migration. So, I can raise a error irq and have qxl enter guest bug mode. That doesn't improve the situation much though, the guest will continue running but you will have broken display ... -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1713825 Title: Booting Windows 2016 with qxl video crashes qemu Status in QEMU: New Bug description: launched from libvirt. qemu version: 2.9.0 host: Linux 4.9.34-gentoo #1 SMP Sat Jul 29 13:28:43 PDT 2017 x86_64 Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz GenuineIntel GNU/Linux guest: Windows 2016 64 bit Thread 28 (Thread 0x7f0e2edff700 (LWP 29860)): #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 set = {__val = {18446744067266837079, 139698892694944, 139699853745096, 139700858749789, 4222451712, 139694281220640, 139694281220741, 139694281220640, 139694281220640, 139694281220810, 139694281220940, 139694281220640, 139694281220940, 0, 0, 0}} pid = tid = #1 0x7f0ea40b644a in __GI_abort () at abort.c:89 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x7f0e2edfe5c0, sa_sigaction = 0x7f0e2edfe5c0}, sa_mask = {__val = {139694281219872, 139698106269697, 139698892695344, 4, 2676511744, 0, 139698892695144, 0, 139698892694912, 1, 4737316546111099904, 139700859888720, 4737316546111099904, 139700862161824, 139700911349760, 94211934977482}}, sa_flags = 416, sa_restorer = 0x55af6ceb0500 <__PRETTY_FUNCTION__.36381>} sigs = {__val = {32, 0 }} #2 0x7f0ea40abab6 in __assert_fail_base (fmt=, assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:92 str = 0x7f0d1c026220 "\340r\002\034\r\177" total = 4096 #3 0x7f0ea40abb81 in __GI___assert_fail (assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:101 No locals. #4 0x55af6cc58805 in qxl_ram_set_dirty (qxl=, ptr=) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:416 base = offset = qxl = ptr = base = offset = #5 0x55af6cc5b9e2 in interface_release_resource (sin=0x55af71a91ed0, ext=...) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:767 qxl = 0x55af71a91450 ring = item = id = 18446690739814400920 __func__ = "interface_release_resource" #6 0x7f0ea510afa8 in red_drawable_unref (red_drawable=0x7f0d1c026120) at red-worker.c:101 No locals. #7 0x7f0ea510b609 in red_drawable_unref (red_drawable=) at red-worker.c:104 No locals. #8 0x7f0ea510eae9 in drawable_unref (drawable=drawable@entry=0x7f0e68285ac0) at display-channel.c:1438 display = 0x55af71dbd3c0 __FUNCTION__ = "drawable_unref" #9 0x7f0ea51109f7 in draw_until (display=display@entry=0x55af71dbd3c0, surface=surface@entry=0x7f0e6828aae8, last=0x7f0e68285ac0) at display-channel.c:1637 container = 0x0 now = 0x7f0e68285ac0 #10 0x7f0ea510f93f in display_channel_draw (display=0x55af71dbd3c0, area=0x7f0e2edfe8e0, surface_id=) at display-channel.c:1729 surface = 0x7f0e6828aae8 last = __FUNCTION__ = "display_channel_draw" __func__ = "display_channel_draw" To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1713825/+subscriptions
[Qemu-devel] [Bug 1713825] Re: Booting Windows 2016 with qxl video crashes qemu
It helps but I'm quite sure that lower level security systems (guest) should never be able to crash higher level security systems (hypervisor). PS. It repros in 2.10.0 as well. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1713825 Title: Booting Windows 2016 with qxl video crashes qemu Status in QEMU: New Bug description: launched from libvirt. qemu version: 2.9.0 host: Linux 4.9.34-gentoo #1 SMP Sat Jul 29 13:28:43 PDT 2017 x86_64 Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz GenuineIntel GNU/Linux guest: Windows 2016 64 bit Thread 28 (Thread 0x7f0e2edff700 (LWP 29860)): #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 set = {__val = {18446744067266837079, 139698892694944, 139699853745096, 139700858749789, 4222451712, 139694281220640, 139694281220741, 139694281220640, 139694281220640, 139694281220810, 139694281220940, 139694281220640, 139694281220940, 0, 0, 0}} pid = tid = #1 0x7f0ea40b644a in __GI_abort () at abort.c:89 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x7f0e2edfe5c0, sa_sigaction = 0x7f0e2edfe5c0}, sa_mask = {__val = {139694281219872, 139698106269697, 139698892695344, 4, 2676511744, 0, 139698892695144, 0, 139698892694912, 1, 4737316546111099904, 139700859888720, 4737316546111099904, 139700862161824, 139700911349760, 94211934977482}}, sa_flags = 416, sa_restorer = 0x55af6ceb0500 <__PRETTY_FUNCTION__.36381>} sigs = {__val = {32, 0 }} #2 0x7f0ea40abab6 in __assert_fail_base (fmt=, assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:92 str = 0x7f0d1c026220 "\340r\002\034\r\177" total = 4096 #3 0x7f0ea40abb81 in __GI___assert_fail (assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:101 No locals. #4 0x55af6cc58805 in qxl_ram_set_dirty (qxl=, ptr=) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:416 base = offset = qxl = ptr = base = offset = #5 0x55af6cc5b9e2 in interface_release_resource (sin=0x55af71a91ed0, ext=...) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:767 qxl = 0x55af71a91450 ring = item = id = 18446690739814400920 __func__ = "interface_release_resource" #6 0x7f0ea510afa8 in red_drawable_unref (red_drawable=0x7f0d1c026120) at red-worker.c:101 No locals. #7 0x7f0ea510b609 in red_drawable_unref (red_drawable=) at red-worker.c:104 No locals. #8 0x7f0ea510eae9 in drawable_unref (drawable=drawable@entry=0x7f0e68285ac0) at display-channel.c:1438 display = 0x55af71dbd3c0 __FUNCTION__ = "drawable_unref" #9 0x7f0ea51109f7 in draw_until (display=display@entry=0x55af71dbd3c0, surface=surface@entry=0x7f0e6828aae8, last=0x7f0e68285ac0) at display-channel.c:1637 container = 0x0 now = 0x7f0e68285ac0 #10 0x7f0ea510f93f in display_channel_draw (display=0x55af71dbd3c0, area=0x7f0e2edfe8e0, surface_id=) at display-channel.c:1729 surface = 0x7f0e6828aae8 last = __FUNCTION__ = "display_channel_draw" __func__ = "display_channel_draw" To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1713825/+subscriptions
[Qemu-devel] [Bug 1713825] Re: Booting Windows 2016 with qxl video crashes qemu
Doesn't reproduce. It's a newer driver though (10.0.0.18000). Does updating the driver help? -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1713825 Title: Booting Windows 2016 with qxl video crashes qemu Status in QEMU: New Bug description: launched from libvirt. qemu version: 2.9.0 host: Linux 4.9.34-gentoo #1 SMP Sat Jul 29 13:28:43 PDT 2017 x86_64 Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz GenuineIntel GNU/Linux guest: Windows 2016 64 bit Thread 28 (Thread 0x7f0e2edff700 (LWP 29860)): #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 set = {__val = {18446744067266837079, 139698892694944, 139699853745096, 139700858749789, 4222451712, 139694281220640, 139694281220741, 139694281220640, 139694281220640, 139694281220810, 139694281220940, 139694281220640, 139694281220940, 0, 0, 0}} pid = tid = #1 0x7f0ea40b644a in __GI_abort () at abort.c:89 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x7f0e2edfe5c0, sa_sigaction = 0x7f0e2edfe5c0}, sa_mask = {__val = {139694281219872, 139698106269697, 139698892695344, 4, 2676511744, 0, 139698892695144, 0, 139698892694912, 1, 4737316546111099904, 139700859888720, 4737316546111099904, 139700862161824, 139700911349760, 94211934977482}}, sa_flags = 416, sa_restorer = 0x55af6ceb0500 <__PRETTY_FUNCTION__.36381>} sigs = {__val = {32, 0 }} #2 0x7f0ea40abab6 in __assert_fail_base (fmt=, assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:92 str = 0x7f0d1c026220 "\340r\002\034\r\177" total = 4096 #3 0x7f0ea40abb81 in __GI___assert_fail (assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:101 No locals. #4 0x55af6cc58805 in qxl_ram_set_dirty (qxl=, ptr=) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:416 base = offset = qxl = ptr = base = offset = #5 0x55af6cc5b9e2 in interface_release_resource (sin=0x55af71a91ed0, ext=...) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:767 qxl = 0x55af71a91450 ring = item = id = 18446690739814400920 __func__ = "interface_release_resource" #6 0x7f0ea510afa8 in red_drawable_unref (red_drawable=0x7f0d1c026120) at red-worker.c:101 No locals. #7 0x7f0ea510b609 in red_drawable_unref (red_drawable=) at red-worker.c:104 No locals. #8 0x7f0ea510eae9 in drawable_unref (drawable=drawable@entry=0x7f0e68285ac0) at display-channel.c:1438 display = 0x55af71dbd3c0 __FUNCTION__ = "drawable_unref" #9 0x7f0ea51109f7 in draw_until (display=display@entry=0x55af71dbd3c0, surface=surface@entry=0x7f0e6828aae8, last=0x7f0e68285ac0) at display-channel.c:1637 container = 0x0 now = 0x7f0e68285ac0 #10 0x7f0ea510f93f in display_channel_draw (display=0x55af71dbd3c0, area=0x7f0e2edfe8e0, surface_id=) at display-channel.c:1729 surface = 0x7f0e6828aae8 last = __FUNCTION__ = "display_channel_draw" __func__ = "display_channel_draw" To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1713825/+subscriptions
[Qemu-devel] [Bug 1713825] Re: Booting Windows 2016 with qxl video crashes qemu
** Changed in: qemu Status: Incomplete => New -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1713825 Title: Booting Windows 2016 with qxl video crashes qemu Status in QEMU: New Bug description: launched from libvirt. qemu version: 2.9.0 host: Linux 4.9.34-gentoo #1 SMP Sat Jul 29 13:28:43 PDT 2017 x86_64 Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz GenuineIntel GNU/Linux guest: Windows 2016 64 bit Thread 28 (Thread 0x7f0e2edff700 (LWP 29860)): #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 set = {__val = {18446744067266837079, 139698892694944, 139699853745096, 139700858749789, 4222451712, 139694281220640, 139694281220741, 139694281220640, 139694281220640, 139694281220810, 139694281220940, 139694281220640, 139694281220940, 0, 0, 0}} pid = tid = #1 0x7f0ea40b644a in __GI_abort () at abort.c:89 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x7f0e2edfe5c0, sa_sigaction = 0x7f0e2edfe5c0}, sa_mask = {__val = {139694281219872, 139698106269697, 139698892695344, 4, 2676511744, 0, 139698892695144, 0, 139698892694912, 1, 4737316546111099904, 139700859888720, 4737316546111099904, 139700862161824, 139700911349760, 94211934977482}}, sa_flags = 416, sa_restorer = 0x55af6ceb0500 <__PRETTY_FUNCTION__.36381>} sigs = {__val = {32, 0 }} #2 0x7f0ea40abab6 in __assert_fail_base (fmt=, assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:92 str = 0x7f0d1c026220 "\340r\002\034\r\177" total = 4096 #3 0x7f0ea40abb81 in __GI___assert_fail (assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:101 No locals. #4 0x55af6cc58805 in qxl_ram_set_dirty (qxl=, ptr=) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:416 base = offset = qxl = ptr = base = offset = #5 0x55af6cc5b9e2 in interface_release_resource (sin=0x55af71a91ed0, ext=...) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:767 qxl = 0x55af71a91450 ring = item = id = 18446690739814400920 __func__ = "interface_release_resource" #6 0x7f0ea510afa8 in red_drawable_unref (red_drawable=0x7f0d1c026120) at red-worker.c:101 No locals. #7 0x7f0ea510b609 in red_drawable_unref (red_drawable=) at red-worker.c:104 No locals. #8 0x7f0ea510eae9 in drawable_unref (drawable=drawable@entry=0x7f0e68285ac0) at display-channel.c:1438 display = 0x55af71dbd3c0 __FUNCTION__ = "drawable_unref" #9 0x7f0ea51109f7 in draw_until (display=display@entry=0x55af71dbd3c0, surface=surface@entry=0x7f0e6828aae8, last=0x7f0e68285ac0) at display-channel.c:1637 container = 0x0 now = 0x7f0e68285ac0 #10 0x7f0ea510f93f in display_channel_draw (display=0x55af71dbd3c0, area=0x7f0e2edfe8e0, surface_id=) at display-channel.c:1729 surface = 0x7f0e6828aae8 last = __FUNCTION__ = "display_channel_draw" __func__ = "display_channel_draw" To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1713825/+subscriptions
[Qemu-devel] [Bug 1713825] Re: Booting Windows 2016 with qxl video crashes qemu
I reproduce it on 2.10.0 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1713825 Title: Booting Windows 2016 with qxl video crashes qemu Status in QEMU: New Bug description: launched from libvirt. qemu version: 2.9.0 host: Linux 4.9.34-gentoo #1 SMP Sat Jul 29 13:28:43 PDT 2017 x86_64 Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz GenuineIntel GNU/Linux guest: Windows 2016 64 bit Thread 28 (Thread 0x7f0e2edff700 (LWP 29860)): #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 set = {__val = {18446744067266837079, 139698892694944, 139699853745096, 139700858749789, 4222451712, 139694281220640, 139694281220741, 139694281220640, 139694281220640, 139694281220810, 139694281220940, 139694281220640, 139694281220940, 0, 0, 0}} pid = tid = #1 0x7f0ea40b644a in __GI_abort () at abort.c:89 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x7f0e2edfe5c0, sa_sigaction = 0x7f0e2edfe5c0}, sa_mask = {__val = {139694281219872, 139698106269697, 139698892695344, 4, 2676511744, 0, 139698892695144, 0, 139698892694912, 1, 4737316546111099904, 139700859888720, 4737316546111099904, 139700862161824, 139700911349760, 94211934977482}}, sa_flags = 416, sa_restorer = 0x55af6ceb0500 <__PRETTY_FUNCTION__.36381>} sigs = {__val = {32, 0 }} #2 0x7f0ea40abab6 in __assert_fail_base (fmt=, assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:92 str = 0x7f0d1c026220 "\340r\002\034\r\177" total = 4096 #3 0x7f0ea40abb81 in __GI___assert_fail (assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size", file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416, function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:101 No locals. #4 0x55af6cc58805 in qxl_ram_set_dirty (qxl=, ptr=) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:416 base = offset = qxl = ptr = base = offset = #5 0x55af6cc5b9e2 in interface_release_resource (sin=0x55af71a91ed0, ext=...) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:767 qxl = 0x55af71a91450 ring = item = id = 18446690739814400920 __func__ = "interface_release_resource" #6 0x7f0ea510afa8 in red_drawable_unref (red_drawable=0x7f0d1c026120) at red-worker.c:101 No locals. #7 0x7f0ea510b609 in red_drawable_unref (red_drawable=) at red-worker.c:104 No locals. #8 0x7f0ea510eae9 in drawable_unref (drawable=drawable@entry=0x7f0e68285ac0) at display-channel.c:1438 display = 0x55af71dbd3c0 __FUNCTION__ = "drawable_unref" #9 0x7f0ea51109f7 in draw_until (display=display@entry=0x55af71dbd3c0, surface=surface@entry=0x7f0e6828aae8, last=0x7f0e68285ac0) at display-channel.c:1637 container = 0x0 now = 0x7f0e68285ac0 #10 0x7f0ea510f93f in display_channel_draw (display=0x55af71dbd3c0, area=0x7f0e2edfe8e0, surface_id=) at display-channel.c:1729 surface = 0x7f0e6828aae8 last = __FUNCTION__ = "display_channel_draw" __func__ = "display_channel_draw" To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1713825/+subscriptions