ARM Highbank Crashes Realted to GIC

Bug #1889621 reported by Alexander Bulekov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Undecided
Unassigned

Bug Description

Hello,
Here are some QTest reproducers for crashes on ARM Highbank that all seem to be related to the gic device.

Reproducer 1:
cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
-nographic -monitor none -serial none -qtest stdio
writel 0xfff11f00 0x8405f559
writel 0xfff117fd 0x5c057bd8
EOF

==10595==ERROR: AddressSanitizer: SEGV on unknown address 0x62b000013e01 (pc 0x55b6ab85cc91 bp 0x7fff60bd4d70 sp 0x7fff60bd4ce0 T0)
==10595==The signal is caused by a READ memory access.
    #0 0x55b6ab85cc91 in gic_get_current_cpu /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:60:12
    #1 0x55b6ab85e1bd in gic_dist_writeb /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1182:11
    #2 0x55b6ab855a97 in gic_dist_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1514:9
    #3 0x55b6aa1650d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12
    #4 0x55b6aa163ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
    #5 0x55b6aa161f35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13
    #6 0x55b6a9313949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23
    #7 0x55b6a92fca11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
    #8 0x55b6a92fc54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
=================================================================

Reproducer 2:
cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
-nographic -monitor none -serial none -qtest stdio
writeq 0xfff11f00 0x613a650f0fda6555
EOF

==1375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000001c80 at pc 0x5618928c486e bp 0x7ffe22c4ee10 sp 0x7ffe22c4ee08
READ of size 8 at 0x608000001c80 thread T0
    #0 0x5618928c486d in address_space_translate_iommu /home/alxndr/Development/qemu/general-fuzz/exec.c:451:23
    #1 0x561892850acc in flatview_do_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:524:16
    #2 0x5618928514ad in flatview_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:584:15
    #3 0x5618928b1e14 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3199:14
    #4 0x56189289aa11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
    #5 0x56189289a54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
    #6 0x5618937a5e13 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:452:13
    #7 0x56189379d89f in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:710:9
    #8 0x56189379c680 in qtest_read /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:722:5
=================================================================

Reproducer 3:
cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
-nographic -monitor none -serial none -qtest stdio
writeq 0xfff11000 0x700000b
writeq 0xfff11f00 0x4f4f4fff54a7afaf
writel 0xfff10100 0x600001ff
EOF

==23743==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006a92 at pc 0x55d690d980e1 bp 0x7ffe606082d0 sp 0x7ffe606082c8
READ of size 1 at 0x62b000006a92 thread T0
    #0 0x55d690d980e0 in gic_get_best_irq /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:94:13
    #1 0x55d690d9485b in gic_update_internal /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:185:13
    #2 0x55d690d90376 in gic_update /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:226:5
    #3 0x55d690dc0879 in gic_cpu_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1758:9
    #4 0x55d690da41c0 in gic_thiscpu_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1777:12
    #5 0x55d68f6b30d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12
    #6 0x55d68f6b1ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
    #7 0x55d68f6aff35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13
    #8 0x55d68e861949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23
    #9 0x55d68e84aa11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
    #10 0x55d68e84a54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
    #11 0x55d68f755537 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:447:13
    #12 0x55d68f74d89f in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:710:9
    #13 0x55d68f74c680 in qtest_read /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:722:5
    #14 0x55d692dddc36 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/chardev/char.c:188:9
    #15 0x55d692dddd79 in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/chardev/char.c:200:9
    #16 0x55d692df105e in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/chardev/char-fd.c:68:9
    #17 0x55d692f395df in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/io/channel-watch.c:84:12
    #18 0x7f69a1b50897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
    #19 0x55d6932f5c83 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:217:9
    #20 0x55d6932f35b6 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:240:5
    #21 0x55d6932f2f97 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:516:11
    #22 0x55d68f76c62d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/softmmu/vl.c:1676:9
    #23 0x55d692f6f20c in main /home/alxndr/Development/qemu/general-fuzz/softmmu/main.c:49:5
    #24 0x7f69a06d6e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
    #25 0x55d68e753459 in _start (/home/alxndr/Development/qemu/general-fuzz/build/arm-softmmu/qemu-system-arm+0x3254459)

0x62b000006a92 is located 2 bytes to the right of 26768-byte region [0x62b000000200,0x62b000006a90)
allocated by thread T0 here:
    #0 0x55d68e7cbe4d in malloc (/home/alxndr/Development/qemu/general-fuzz/build/arm-softmmu/qemu-system-arm+0x32cce4d)
    #1 0x7f69a1b56500 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)
    #2 0x55d69254f231 in object_new /home/alxndr/Development/qemu/general-fuzz/qom/object.c:708:12
    #3 0x55d69034bf01 in qdev_new /home/alxndr/Development/qemu/general-fuzz/hw/core/qdev.c:136:12
    #4 0x55d68f2b7aa4 in calxeda_init /home/alxndr/Development/qemu/general-fuzz/hw/arm/highbank.c:319:15
    #5 0x55d68f2b6466 in highbank_init /home/alxndr/Development/qemu/general-fuzz/hw/arm/highbank.c:411:5
    #6 0x55d6903d43f1 in machine_run_board_init /home/alxndr/Development/qemu/general-fuzz/hw/core/machine.c:1134:5
    #7 0x55d68f77e0ee in qemu_init /home/alxndr/Development/qemu/general-fuzz/softmmu/vl.c:4356:5
    #8 0x55d692f6f207 in main /home/alxndr/Development/qemu/general-fuzz/softmmu/main.c:48:5
    #9 0x7f69a06d6e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16

Let me know if I can provide any further info.
-Alex

Tags: arm Edit Tag help
Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote :

Why put all these bugs in the same ticket?

For reproducer #2:

writeq 0xfff11f00 0x613a650f0fda6555 does:

gic_dist_write dist write at 0x00000f00 size 4: 0x0fda6555

0x0fda6555 => IRQ 341, mask type 3 illegal -> DPRINTF("Bad Soft Int target filter\n");

mask = ALL_CPU_MASK = 0xff

Having:

#define GIC_NR_SGIS 16
uint8_t sgi_pending[GIC_NR_SGIS][GIC_NCPU];

s->sgi_pending[irq][target_cpu] |= (1 << cpu);
               ^^^
                  \ OOB access.

Changed in qemu:
status: New → Confirmed
tags: added: arm
Revision history for this message
Peter Maydell (pmaydell) wrote :

I haven't looked at reproducer #1, but is it a fuzzer-specific variant of LP:1602247 (trying to read the "for this CPU" registers from something other than a CPU doesn't work) ?

Revision history for this message
Alexander Bulekov (a1xndr) wrote : Re: [Bug 1889621] Re: ARM Highbank Crashes Realted to GIC
Download full text (8.6 KiB)

On 200730 1531, Philippe Mathieu-Daudé wrote:
> Why put all these bugs in the same ticket?

Thought they might have a similar root cause, though that is evidently
wrong..

> For reproducer #2:
>
> writeq 0xfff11f00 0x613a650f0fda6555 does:
>
> gic_dist_write dist write at 0x00000f00 size 4: 0x0fda6555
>
> 0x0fda6555 => IRQ 341, mask type 3 illegal -> DPRINTF("Bad Soft Int
> target filter\n");
>
> mask = ALL_CPU_MASK = 0xff
>
> Having:
>
> #define GIC_NR_SGIS 16
> uint8_t sgi_pending[GIC_NR_SGIS][GIC_NCPU];
>
> s->sgi_pending[irq][target_cpu] |= (1 << cpu);
> ^^^
> \ OOB access.
>
> ** Changed in: qemu
> Status: New => Confirmed
>
> ** Tags added: arm
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1889621
>
> Title:
> ARM Highbank Crashes Realted to GIC
>
> Status in QEMU:
> Confirmed
>
> Bug description:
> Hello,
> Here are some QTest reproducers for crashes on ARM Highbank that all seem to be related to the gic device.
>
> Reproducer 1:
> cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
> -nographic -monitor none -serial none -qtest stdio
> writel 0xfff11f00 0x8405f559
> writel 0xfff117fd 0x5c057bd8
> EOF
>
> ==10595==ERROR: AddressSanitizer: SEGV on unknown address 0x62b000013e01 (pc 0x55b6ab85cc91 bp 0x7fff60bd4d70 sp 0x7fff60bd4ce0 T0)
> ==10595==The signal is caused by a READ memory access.
> #0 0x55b6ab85cc91 in gic_get_current_cpu /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:60:12
> #1 0x55b6ab85e1bd in gic_dist_writeb /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1182:11
> #2 0x55b6ab855a97 in gic_dist_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1514:9
> #3 0x55b6aa1650d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12
> #4 0x55b6aa163ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
> #5 0x55b6aa161f35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13
> #6 0x55b6a9313949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23
> #7 0x55b6a92fca11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
> #8 0x55b6a92fc54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
> =================================================================
>
> Reproducer 2:
> cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
> -nographic -monitor none -serial none -qtest stdio
> writeq 0xfff11f00 0x613a650f0fda6555
> EOF
>
> ==1375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000001c80 at pc 0x5618928c486e bp 0x7ffe22c4ee10 sp 0x7ffe22c4ee08
> READ of size 8 at 0x608000001c80 thread T0
> #0 0x5618928c486d in address_space_translate_iommu /home/alxndr/Development/qemu/general-fuzz/exec.c:451:23
> #1 0x561892850acc in flatview_do_translate /home/alxndr/Development/qemu/general-fuzz/e...

Read more...

Revision history for this message
Alexander Bulekov (a1xndr) wrote :
Download full text (8.3 KiB)

On 200730 1550, Peter Maydell wrote:
> I haven't looked at reproducer #1, but is it a fuzzer-specific variant
> of LP:1602247 (trying to read the "for this CPU" registers from
> something other than a CPU doesn't work) ?

That was my initial suspicion as well, but it looks like the SEGV
happens here:
if (s->num_cpu > 1) {
rather than here:
    return current_cpu->cpu_index;

-Alex

>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1889621
>
> Title:
> ARM Highbank Crashes Realted to GIC
>
> Status in QEMU:
> Confirmed
>
> Bug description:
> Hello,
> Here are some QTest reproducers for crashes on ARM Highbank that all seem to be related to the gic device.
>
> Reproducer 1:
> cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
> -nographic -monitor none -serial none -qtest stdio
> writel 0xfff11f00 0x8405f559
> writel 0xfff117fd 0x5c057bd8
> EOF
>
> ==10595==ERROR: AddressSanitizer: SEGV on unknown address 0x62b000013e01 (pc 0x55b6ab85cc91 bp 0x7fff60bd4d70 sp 0x7fff60bd4ce0 T0)
> ==10595==The signal is caused by a READ memory access.
> #0 0x55b6ab85cc91 in gic_get_current_cpu /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:60:12
> #1 0x55b6ab85e1bd in gic_dist_writeb /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1182:11
> #2 0x55b6ab855a97 in gic_dist_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1514:9
> #3 0x55b6aa1650d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12
> #4 0x55b6aa163ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
> #5 0x55b6aa161f35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13
> #6 0x55b6a9313949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23
> #7 0x55b6a92fca11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14
> #8 0x55b6a92fc54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18
> =================================================================
>
> Reproducer 2:
> cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \
> -nographic -monitor none -serial none -qtest stdio
> writeq 0xfff11f00 0x613a650f0fda6555
> EOF
>
> ==1375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000001c80 at pc 0x5618928c486e bp 0x7ffe22c4ee10 sp 0x7ffe22c4ee08
> READ of size 8 at 0x608000001c80 thread T0
> #0 0x5618928c486d in address_space_translate_iommu /home/alxndr/Development/qemu/general-fuzz/exec.c:451:23
> #1 0x561892850acc in flatview_do_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:524:16
> #2 0x5618928514ad in flatview_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:584:15
> #3 0x5618928b1e14 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3199:14
> #4 0x56189289aa11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:...

Read more...

Revision history for this message
Thomas Huth (th-huth) wrote :

Can you still reproduce one of these issues with the current master branch of QEMU? For me, all three reproduces do not seem to cause any trouble anymore...

Changed in qemu:
status: Confirmed → Incomplete
Revision history for this message
Alexander Bulekov (a1xndr) wrote :

I believe these were all taken care of by
edfe2eb436 ("hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register")
09bbdb89bc ("hw/intc/arm_gic: Allow to use QTest without crashing")

Revision history for this message
Thomas Huth (th-huth) wrote :

Ok, thanks, then let's close this (and open new tickets on gitlab if it happens again)

Changed in qemu:
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers