diff for duplicates of <ced59c5e-01e9-9da6-5191-9d34ffa976b0@redhat.com> diff --git a/a/1.txt b/N1/1.txt index 85d3f75..b686b77 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -32,4 +32,48 @@ It looks to me a normal behavior for a DMA device. DMA devices have a different address space view than the CPUs. Also note the fw_cfg is a generic device, not restricted to the x86 arch. -Maybe this function could use dma_memory_valid() to skip unassigned regions? +Maybe this function could use dma_memory_valid() to skip unassigned +regions? + +-- +You received this bug notification because you are a member of qemu- +devel-ml, which is subscribed to QEMU. +https://bugs.launchpad.net/bugs/1880355 + +Title: + Length restrictions for fw_cfg_dma_transfer? + +Status in QEMU: + New + +Bug description: + For me, this takes close to 3 minutes at 100% CPU: + echo "outl 0x518 0x9596ffff" | ./i386-softmmu/qemu-system-i386 -M q35 -m 32 -nographic -accel qtest -monitor none -serial none -qtest stdio + + #0 phys_page_find (d=0x606000035d80, addr=136728041144404) at /exec.c:338 + #1 address_space_lookup_region (d=0x606000035d80, addr=136728041144404, resolve_subpage=true) at /exec.c:363 + #2 address_space_translate_internal (d=0x606000035d80, addr=136728041144404, xlat=0x7fff1fc0d070, plen=0x7fff1fc0d090, resolve_subpage=true) at /exec.c:382 + #3 flatview_do_translate (fv=0x606000035d20, addr=136728041144404, xlat=0x7fff1fc0d070, plen_out=0x7fff1fc0d090, page_mask_out=0x0, is_write=true, is_mmio=true, target_as=0x7fff1fc0ce10, attrs=...) + pment/qemu/exec.c:520 + #4 flatview_translate (fv=0x606000035d20, addr=136728041144404, xlat=0x7fff1fc0d070, plen=0x7fff1fc0d090, is_write=true, attrs=...) at /exec.c:586 + #5 flatview_write_continue (fv=0x606000035d20, addr=136728041144404, attrs=..., ptr=0x7fff1fc0d660, len=172, addr1=136728041144400, l=172, mr=0x557fd54e77e0 <io_mem_unassigned>) + pment/qemu/exec.c:3160 + #6 flatview_write (fv=0x606000035d20, addr=136728041144064, attrs=..., buf=0x7fff1fc0d660, len=512) at /exec.c:3177 + #7 address_space_write (as=0x557fd54e7a00 <address_space_memory>, addr=136728041144064, attrs=..., buf=0x7fff1fc0d660, len=512) at /exec.c:3271 + #8 dma_memory_set (as=0x557fd54e7a00 <address_space_memory>, addr=136728041144064, c=0 '\000', len=1378422272) at /dma-helpers.c:31 + #9 fw_cfg_dma_transfer (s=0x61a000001e80) at /hw/nvram/fw_cfg.c:400 + #10 fw_cfg_dma_mem_write (opaque=0x61a000001e80, addr=4, value=4294940309, size=4) at /hw/nvram/fw_cfg.c:467 + #11 memory_region_write_accessor (mr=0x61a000002200, addr=4, value=0x7fff1fc0e3d0, size=4, shift=0, mask=4294967295, attrs=...) at /memory.c:483 + #12 access_with_adjusted_size (addr=4, value=0x7fff1fc0e3d0, size=4, access_size_min=1, access_size_max=8, access_fn=0x557fd2288c80 <memory_region_write_accessor>, mr=0x61a000002200, attrs=...) + pment/qemu/memory.c:539 + #13 memory_region_dispatch_write (mr=0x61a000002200, addr=4, data=4294940309, op=MO_32, attrs=...) at /memory.c:1476 + #14 flatview_write_continue (fv=0x606000035f00, addr=1304, attrs=..., ptr=0x7fff1fc0ec40, len=4, addr1=4, l=4, mr=0x61a000002200) at /exec.c:3137 + #15 flatview_write (fv=0x606000035f00, addr=1304, attrs=..., buf=0x7fff1fc0ec40, len=4) at /exec.c:3177 + #16 address_space_write (as=0x557fd54e7bc0 <address_space_io>, addr=1304, attrs=..., buf=0x7fff1fc0ec40, len=4) at /exec.c:3271 + + + It looks like fw_cfg_dma_transfer gets the address(136728041144064) and length(1378422272) for the read from the value provided as input 4294940309 (0xFFFF9695) which lands in pcbios. Should there be any limits on the length of guest-memory that fw_cfg should populate? + Found by libfuzzer + +To manage notifications about this bug go to: +https://bugs.launchpad.net/qemu/+bug/1880355/+subscriptions diff --git a/a/content_digest b/N1/content_digest index e5e79e4..25c1b43 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,23 +2,16 @@ "ref\000159029353528.907.11982786579949073896.malonedeb\@chaenomeles.canonical.com\0" ] [ - "From\0Philippe Mathieu-Daud\303\251 <philmd\@redhat.com>\0" + "From\0Philippe Mathieu-Daud\303\251 <1880355\@bugs.launchpad.net>\0" ] [ "Subject\0Re: [Bug 1880355] [NEW] Length restrictions for fw_cfg_dma_transfer?\0" ] [ - "Date\0Sun, 24 May 2020 12:30:07 +0200\0" + "Date\0Sun, 24 May 2020 10:30:07 -0000\0" ] [ - "To\0Bug 1880355 <1880355\@bugs.launchpad.net>", - " qemu-devel\@nongnu.org", - " Gerd Hoffmann <kraxel\@redhat.com>", - " Laszlo Ersek <lersek\@redhat.com>", - " Paolo Bonzini <pbonzini\@redhat.com>", - " Michael S. Tsirkin <mst\@redhat.com>", - " Peter Maydell <peter.maydell\@linaro.org>", - " Mark Cave-Ayland <mark.cave-ayland\@ilande.co.uk>\0" + "To\0qemu-devel\@nongnu.org\0" ] [ "\0000:1\0" @@ -61,7 +54,51 @@ "different address space view than the CPUs.\n", "Also note the fw_cfg is a generic device, not restricted to the x86 arch.\n", "\n", - "Maybe this function could use dma_memory_valid() to skip unassigned regions?" + "Maybe this function could use dma_memory_valid() to skip unassigned\n", + "regions?\n", + "\n", + "-- \n", + "You received this bug notification because you are a member of qemu-\n", + "devel-ml, which is subscribed to QEMU.\n", + "https://bugs.launchpad.net/bugs/1880355\n", + "\n", + "Title:\n", + " Length restrictions for fw_cfg_dma_transfer?\n", + "\n", + "Status in QEMU:\n", + " New\n", + "\n", + "Bug description:\n", + " For me, this takes close to 3 minutes at 100% CPU:\n", + " echo \"outl 0x518 0x9596ffff\" | ./i386-softmmu/qemu-system-i386 -M q35 -m 32 -nographic -accel qtest -monitor none -serial none -qtest stdio\n", + "\n", + " #0 phys_page_find (d=0x606000035d80, addr=136728041144404) at /exec.c:338\n", + " #1 address_space_lookup_region (d=0x606000035d80, addr=136728041144404, resolve_subpage=true) at /exec.c:363\n", + " #2 address_space_translate_internal (d=0x606000035d80, addr=136728041144404, xlat=0x7fff1fc0d070, plen=0x7fff1fc0d090, resolve_subpage=true) at /exec.c:382\n", + " #3 flatview_do_translate (fv=0x606000035d20, addr=136728041144404, xlat=0x7fff1fc0d070, plen_out=0x7fff1fc0d090, page_mask_out=0x0, is_write=true, is_mmio=true, target_as=0x7fff1fc0ce10, attrs=...)\n", + " pment/qemu/exec.c:520\n", + " #4 flatview_translate (fv=0x606000035d20, addr=136728041144404, xlat=0x7fff1fc0d070, plen=0x7fff1fc0d090, is_write=true, attrs=...) at /exec.c:586\n", + " #5 flatview_write_continue (fv=0x606000035d20, addr=136728041144404, attrs=..., ptr=0x7fff1fc0d660, len=172, addr1=136728041144400, l=172, mr=0x557fd54e77e0 <io_mem_unassigned>)\n", + " pment/qemu/exec.c:3160\n", + " #6 flatview_write (fv=0x606000035d20, addr=136728041144064, attrs=..., buf=0x7fff1fc0d660, len=512) at /exec.c:3177\n", + " #7 address_space_write (as=0x557fd54e7a00 <address_space_memory>, addr=136728041144064, attrs=..., buf=0x7fff1fc0d660, len=512) at /exec.c:3271\n", + " #8 dma_memory_set (as=0x557fd54e7a00 <address_space_memory>, addr=136728041144064, c=0 '\\000', len=1378422272) at /dma-helpers.c:31\n", + " #9 fw_cfg_dma_transfer (s=0x61a000001e80) at /hw/nvram/fw_cfg.c:400\n", + " #10 fw_cfg_dma_mem_write (opaque=0x61a000001e80, addr=4, value=4294940309, size=4) at /hw/nvram/fw_cfg.c:467\n", + " #11 memory_region_write_accessor (mr=0x61a000002200, addr=4, value=0x7fff1fc0e3d0, size=4, shift=0, mask=4294967295, attrs=...) at /memory.c:483\n", + " #12 access_with_adjusted_size (addr=4, value=0x7fff1fc0e3d0, size=4, access_size_min=1, access_size_max=8, access_fn=0x557fd2288c80 <memory_region_write_accessor>, mr=0x61a000002200, attrs=...)\n", + " pment/qemu/memory.c:539\n", + " #13 memory_region_dispatch_write (mr=0x61a000002200, addr=4, data=4294940309, op=MO_32, attrs=...) at /memory.c:1476\n", + " #14 flatview_write_continue (fv=0x606000035f00, addr=1304, attrs=..., ptr=0x7fff1fc0ec40, len=4, addr1=4, l=4, mr=0x61a000002200) at /exec.c:3137\n", + " #15 flatview_write (fv=0x606000035f00, addr=1304, attrs=..., buf=0x7fff1fc0ec40, len=4) at /exec.c:3177\n", + " #16 address_space_write (as=0x557fd54e7bc0 <address_space_io>, addr=1304, attrs=..., buf=0x7fff1fc0ec40, len=4) at /exec.c:3271\n", + "\n", + " \n", + " It looks like fw_cfg_dma_transfer gets the address(136728041144064) and length(1378422272) for the read from the value provided as input 4294940309 (0xFFFF9695) which lands in pcbios. Should there be any limits on the length of guest-memory that fw_cfg should populate?\n", + " Found by libfuzzer\n", + "\n", + "To manage notifications about this bug go to:\n", + "https://bugs.launchpad.net/qemu/+bug/1880355/+subscriptions" ] -ad41127a852ca99d15cf770c763acf4179d2eec36f32bc33515c543d86b0a978 +c67883161b766c1ef3bb31145f088fb90c77d4c9c76819b7265a277ff1920d13
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.