QEMU

Bug #1803160
Comment #0

Comment 0 for bug 1803160

Revision history for this message

Alberto Ortega (aortega) wrote on 2018-11-13:

QEMU version:
-------------

qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)

Summary:
--------

TCG crashes in i386 and x86_64 when it tries to execute some specific illegal instructions. When running full OS emulation, both the guest system and QEMU crash.

The issue has been reproduced in two scenarios:

Ubuntu x64 host running Debian x86 guest with the following command line: qemu-system-x86_64 -m 4G debian.qcow

When the attached ELF file is executed inside the guest, QEMU crashes.

It can also be reproduced from the command line:

$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped) ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf

GDB backtrace:

(gdb) bt
#0 0x0000000060206488 in raise ()
#1 0x0000000060206b8a in abort ()
#2 0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3 0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4 tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5 0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6 0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7 cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8 0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9 0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)

Testcase:
---------

Find ELF file attached, and also in the following hexdump:

$ hexdump -C tcg_crash.elf
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 03 00 01 00 00 00 54 80 04 08 34 00 00 00 |........T...4...|
00000020 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 |........4. .....|
00000030 00 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 |................|
00000040 00 80 04 08 64 00 00 00 64 00 00 00 05 00 00 00 |....d...d.......|
00000050 00 10 00 00 d2 dc a8 45 31 ca f0 35 d9 4d 8f 18 |.......E1..5.M..|
00000060 05 2e 6f 9f |..o.|

QEMU version:
-------------

qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)

Summary:
--------

TCG crashes in i386 and x86_64 when it tries to execute some specific illegal instructions. When running full OS emulation, both the guest system and QEMU crash.

The issue has been reproduced in two scenarios:

Ubuntu x64 host running Debian x86 guest with the following command line: qemu-system-x86_64 -m 4G debian.qcow

When the attached ELF file is executed inside the guest, QEMU crashes.

It can also be reproduced from the command line:

$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped)  ../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf

GDB backtrace:

(gdb) bt
#0  0x0000000060206488 in raise ()
#1  0x0000000060206b8a in abort ()
#2  0x0000000060007016 in temp_load (s=s@entry=0x607a2780 <tcg_init_ctx>, ts=ts@entry=0x607a3178 <tcg_init_ctx+2552>, desired_regs=<optimized out>, allocated_regs=allocated_regs@entry=16400)
    at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3  0x000000006000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4  tcg_gen_code (s=<optimized out>, tb=tb@entry=0x607ac040 <static_code_gen_buffer+4144>) at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5  0x000000006003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, cflags=cflags@entry=0)
    at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6  0x000000006003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7  cpu_exec (cpu=cpu@entry=0x627e0010) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8  0x000000006006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9  0x00000000600037c5 in main (argc=2, argv=0x7fffffffdd28, envp=<optimized out>) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)

Testcase:
---------

Find ELF file attached, and also in the following hexdump:

$ hexdump -C tcg_crash.elf
00000000  7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 03 00 01 00 00 00  54 80 04 08 34 00 00 00  |........T...4...|
00000020  00 00 00 00 00 00 00 00  34 00 20 00 01 00 00 00  |........4. .....|
00000030  00 00 00 00 01 00 00 00  00 00 00 00 00 80 04 08  |................|
00000040  00 80 04 08 64 00 00 00  64 00 00 00 05 00 00 00  |....d...d.......|
00000050  00 10 00 00 d2 dc a8 45  31 ca f0 35 d9 4d 8f 18  |.......E1..5.M..|
00000060  05 2e 6f 9f                                       |..o.|