QEMU

Booting Windows 2016 with qxl video crashes qemu

Bug #1713825 reported by Maciej Piechotka on 2017-08-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Expired	Undecided	Unassigned

Bug Description

launched from libvirt.

qemu version: 2.9.0
host: Linux <hostname> 4.9.34-gentoo #1 SMP Sat Jul 29 13:28:43 PDT 2017 x86_64 Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz GenuineIntel GNU/Linux
guest: Windows 2016 64 bit

Thread 28 (Thread 0x7f0e2edff700 (LWP 29860)):
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
        set = {__val = {18446744067266837079, 139698892694944, 139699853745096, 139700858749789, 4222451712, 139694281220640, 139694281220741, 139694281220640, 139694281220640, 139694281220810,
            139694281220940, 139694281220640, 139694281220940, 0, 0, 0}}
        pid = <optimized out>
        tid = <optimized out>
#1 0x00007f0ea40b644a in __GI_abort () at abort.c:89
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x7f0e2edfe5c0, sa_sigaction = 0x7f0e2edfe5c0}, sa_mask = {__val = {139694281219872, 139698106269697, 139698892695344, 4, 2676511744, 0, 139698892695144, 0,
              139698892694912, 1, 4737316546111099904, 139700859888720, 4737316546111099904, 139700862161824, 139700911349760, 94211934977482}}, sa_flags = 416,
          sa_restorer = 0x55af6ceb0500 <__PRETTY_FUNCTION__.36381>}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007f0ea40abab6 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size",
    file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416,
    function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:92
        str = 0x7f0d1c026220 "\340r\002\034\r\177"
        total = 4096
#3 0x00007f0ea40abb81 in __GI___assert_fail (assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size",
    file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416,
    function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:101
No locals.
#4 0x000055af6cc58805 in qxl_ram_set_dirty (qxl=<optimized out>, ptr=<optimized out>) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:416
        base = <optimized out>
        offset = <optimized out>
        qxl = <optimized out>
        ptr = <optimized out>
        base = <optimized out>
        offset = <optimized out>
#5 0x000055af6cc5b9e2 in interface_release_resource (sin=0x55af71a91ed0, ext=...) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:767
        qxl = 0x55af71a91450
        ring = <optimized out>
        item = <optimized out>
        id = 18446690739814400920
        __func__ = "interface_release_resource"
#6 0x00007f0ea510afa8 in red_drawable_unref (red_drawable=0x7f0d1c026120) at red-worker.c:101
No locals.
#7 0x00007f0ea510b609 in red_drawable_unref (red_drawable=<optimized out>) at red-worker.c:104
No locals.
#8 0x00007f0ea510eae9 in drawable_unref (drawable=drawable@entry=0x7f0e68285ac0) at display-channel.c:1438
        display = 0x55af71dbd3c0
        __FUNCTION__ = "drawable_unref"
#9 0x00007f0ea51109f7 in draw_until (display=display@entry=0x55af71dbd3c0, surface=surface@entry=0x7f0e6828aae8, last=0x7f0e68285ac0) at display-channel.c:1637
        container = 0x0
        now = 0x7f0e68285ac0
#10 0x00007f0ea510f93f in display_channel_draw (display=0x55af71dbd3c0, area=0x7f0e2edfe8e0, surface_id=<optimized out>) at display-channel.c:1729
        surface = 0x7f0e6828aae8
        last = <optimized out>
        __FUNCTION__ = "display_channel_draw"
        __func__ = "display_channel_draw"

Revision history for this message

Maciej Piechotka (uzytkownik2) wrote on 2017-09-27:

I reproduce it on 2.10.0

Revision history for this message

Dr. David Alan Gilbert (dgilbert-h) wrote on 2017-09-28:

Hi Maciej,
  Can you clarify:
     a) What version of the qxl drivers you have installed in windows
     b) Does it crash immediately or only when you do something specific?
     c) Can you give the qemu command line and/or libvirt xml
     d) What resolution have you got the guest set at?
     e) What version are your spice-server libraries at?

Changed in qemu:
status:	New → Incomplete

Revision history for this message

Maciej Piechotka (uzytkownik2) wrote on 2017-09-30:

libvirt config Edit (5.8 KiB, application/xml)

Sorry - email with reply got misdirected in inbox:

a) qxldod.sys 02/20/2017,10.0.0.16000
b) Immediately during boot. I assume during loading the driver
c) Attached working configuration. For repro I change cirrus to qxl and delete arguments to have defaults set by libvirt.
d) 1920x1080 I think. I cannot double check as it, well, crashes
e) 0.13.90

Thomas Huth (th-huth) on 2017-11-10

Changed in qemu:
status:	Incomplete → New

Revision history for this message

Gerd Hoffmann (kraxel-redhat) wrote on 2017-11-14:

Doesn't reproduce. It's a newer driver though (10.0.0.18000).
Does updating the driver help?

Revision history for this message

Maciej Piechotka (uzytkownik2) wrote on 2017-11-14:

It helps but I'm quite sure that lower level security systems (guest) should never be able to crash higher level security systems (hypervisor).

PS. It repros in 2.10.0 as well.

Revision history for this message

Gerd Hoffmann (kraxel-redhat) wrote on 2017-11-15:

Guest triggerable assert() isn't exactly nice indeed.
But it's not a show stopper.
It doesn't allow exploiting the host, the guest can only DoS itself.
And you must be priviledged in the guest to do so.

Most likely this is the driver placing the qxl commands in the wrong pci bar. See commit 86dbcdd9c7590d06db89ca256c5eaf0b4aba8858. Seems the impact is more than breaking live migration. So, I can raise a error irq and have qxl enter guest bug mode. That doesn't improve the situation much though, the guest will continue running but you will have broken display ...

Revision history for this message

Thomas Huth (th-huth) wrote on 2020-09-26:

Does this issue still persist with the latest version of QEMU/libvirt/qxl-drivers ?