On 200730 1531, Philippe Mathieu-Daudé wrote: > Why put all these bugs in the same ticket?
Thought they might have a similar root cause, though that is evidently wrong..
> For reproducer #2: > > writeq 0xfff11f00 0x613a650f0fda6555 does: > > gic_dist_write dist write at 0x00000f00 size 4: 0x0fda6555 > > 0x0fda6555 => IRQ 341, mask type 3 illegal -> DPRINTF("Bad Soft Int > target filter\n"); > > mask = ALL_CPU_MASK = 0xff > > Having: > > #define GIC_NR_SGIS 16 > uint8_t sgi_pending[GIC_NR_SGIS][GIC_NCPU]; > > s->sgi_pending[irq][target_cpu] |= (1 << cpu); > ^^^ > \ OOB access. > > ** Changed in: qemu > Status: New => Confirmed > > ** Tags added: arm > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1889621 > > Title: > ARM Highbank Crashes Realted to GIC > > Status in QEMU: > Confirmed > > Bug description: > Hello, > Here are some QTest reproducers for crashes on ARM Highbank that all seem to be related to the gic device. > > Reproducer 1: > cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \ > -nographic -monitor none -serial none -qtest stdio > writel 0xfff11f00 0x8405f559 > writel 0xfff117fd 0x5c057bd8 > EOF > > ==10595==ERROR: AddressSanitizer: SEGV on unknown address 0x62b000013e01 (pc 0x55b6ab85cc91 bp 0x7fff60bd4d70 sp 0x7fff60bd4ce0 T0) > ==10595==The signal is caused by a READ memory access. > #0 0x55b6ab85cc91 in gic_get_current_cpu /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:60:12 > #1 0x55b6ab85e1bd in gic_dist_writeb /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1182:11 > #2 0x55b6ab855a97 in gic_dist_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1514:9 > #3 0x55b6aa1650d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12 > #4 0x55b6aa163ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18 > #5 0x55b6aa161f35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13 > #6 0x55b6a9313949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23 > #7 0x55b6a92fca11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14 > #8 0x55b6a92fc54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18 > ================================================================= > > Reproducer 2: > cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \ > -nographic -monitor none -serial none -qtest stdio > writeq 0xfff11f00 0x613a650f0fda6555 > EOF > > ==1375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000001c80 at pc 0x5618928c486e bp 0x7ffe22c4ee10 sp 0x7ffe22c4ee08 > READ of size 8 at 0x608000001c80 thread T0 > #0 0x5618928c486d in address_space_translate_iommu /home/alxndr/Development/qemu/general-fuzz/exec.c:451:23 > #1 0x561892850acc in flatview_do_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:524:16 > #2 0x5618928514ad in flatview_translate /home/alxndr/Development/qemu/general-fuzz/exec.c:584:15 > #3 0x5618928b1e14 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3199:14 > #4 0x56189289aa11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14 > #5 0x56189289a54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18 > #6 0x5618937a5e13 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:452:13 > #7 0x56189379d89f in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:710:9 > #8 0x56189379c680 in qtest_read /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:722:5 > ================================================================= > > Reproducer 3: > cat << EOF | ./arm-softmmu/qemu-system-arm -machine highbank \ > -nographic -monitor none -serial none -qtest stdio > writeq 0xfff11000 0x700000b > writeq 0xfff11f00 0x4f4f4fff54a7afaf > writel 0xfff10100 0x600001ff > EOF > > ==23743==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006a92 at pc 0x55d690d980e1 bp 0x7ffe606082d0 sp 0x7ffe606082c8 > READ of size 1 at 0x62b000006a92 thread T0 > #0 0x55d690d980e0 in gic_get_best_irq /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:94:13 > #1 0x55d690d9485b in gic_update_internal /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:185:13 > #2 0x55d690d90376 in gic_update /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:226:5 > #3 0x55d690dc0879 in gic_cpu_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1758:9 > #4 0x55d690da41c0 in gic_thiscpu_write /home/alxndr/Development/qemu/general-fuzz/hw/intc/arm_gic.c:1777:12 > #5 0x55d68f6b30d4 in memory_region_write_with_attrs_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:503:12 > #6 0x55d68f6b1ac6 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18 > #7 0x55d68f6aff35 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1473:13 > #8 0x55d68e861949 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/exec.c:3176:23 > #9 0x55d68e84aa11 in flatview_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3216:14 > #10 0x55d68e84a54e in address_space_write /home/alxndr/Development/qemu/general-fuzz/exec.c:3308:18 > #11 0x55d68f755537 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:447:13 > #12 0x55d68f74d89f in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:710:9 > #13 0x55d68f74c680 in qtest_read /home/alxndr/Development/qemu/general-fuzz/softmmu/qtest.c:722:5 > #14 0x55d692dddc36 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/chardev/char.c:188:9 > #15 0x55d692dddd79 in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/chardev/char.c:200:9 > #16 0x55d692df105e in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/chardev/char-fd.c:68:9 > #17 0x55d692f395df in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/io/channel-watch.c:84:12 > #18 0x7f69a1b50897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897) > #19 0x55d6932f5c83 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:217:9 > #20 0x55d6932f35b6 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:240:5 > #21 0x55d6932f2f97 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/util/main-loop.c:516:11 > #22 0x55d68f76c62d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/softmmu/vl.c:1676:9 > #23 0x55d692f6f20c in main /home/alxndr/Development/qemu/general-fuzz/softmmu/main.c:49:5 > #24 0x7f69a06d6e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16 > #25 0x55d68e753459 in _start (/home/alxndr/Development/qemu/general-fuzz/build/arm-softmmu/qemu-system-arm+0x3254459) > > 0x62b000006a92 is located 2 bytes to the right of 26768-byte region [0x62b000000200,0x62b000006a90) > allocated by thread T0 here: > #0 0x55d68e7cbe4d in malloc (/home/alxndr/Development/qemu/general-fuzz/build/arm-softmmu/qemu-system-arm+0x32cce4d) > #1 0x7f69a1b56500 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500) > #2 0x55d69254f231 in object_new /home/alxndr/Development/qemu/general-fuzz/qom/object.c:708:12 > #3 0x55d69034bf01 in qdev_new /home/alxndr/Development/qemu/general-fuzz/hw/core/qdev.c:136:12 > #4 0x55d68f2b7aa4 in calxeda_init /home/alxndr/Development/qemu/general-fuzz/hw/arm/highbank.c:319:15 > #5 0x55d68f2b6466 in highbank_init /home/alxndr/Development/qemu/general-fuzz/hw/arm/highbank.c:411:5 > #6 0x55d6903d43f1 in machine_run_board_init /home/alxndr/Development/qemu/general-fuzz/hw/core/machine.c:1134:5 > #7 0x55d68f77e0ee in qemu_init /home/alxndr/Development/qemu/general-fuzz/softmmu/vl.c:4356:5 > #8 0x55d692f6f207 in main /home/alxndr/Development/qemu/general-fuzz/softmmu/main.c:48:5 > #9 0x7f69a06d6e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16 > > > Let me know if I can provide any further info. > -Alex > > To manage notifications about this bug go to: > https://bugs.launchpad.net/qemu/+bug/1889621/+subscriptions
On 200730 1531, Philippe Mathieu-Daudé wrote:
> Why put all these bugs in the same ticket?
Thought they might have a similar root cause, though that is evidently
wrong..
> For reproducer #2: GIC_NR_ SGIS][GIC_ NCPU]; pending[ irq][target_ cpu] |= (1 << cpu); /bugs.launchpad .net/bugs/ 1889621 qemu-system- arm -machine highbank \ Development/ qemu/general- fuzz/hw/ intc/arm_ gic.c:60: 12 Development/ qemu/general- fuzz/hw/ intc/arm_ gic.c:1182: 11 Development/ qemu/general- fuzz/hw/ intc/arm_ gic.c:1514: 9 region_ write_with_ attrs_accessor /home/alxndr/ Development/ qemu/general- fuzz/softmmu/ memory. c:503:12 with_adjusted_ size /home/alxndr/ Development/ qemu/general- fuzz/softmmu/ memory. c:544:18 region_ dispatch_ write /home/alxndr/ Development/ qemu/general- fuzz/softmmu/ memory. c:1473: 13 write_continue /home/alxndr/ Development/ qemu/general- fuzz/exec. c:3176: 23 Development/ qemu/general- fuzz/exec. c:3216: 14 Development/ qemu/general- fuzz/exec. c:3308: 18 ======= ======= ======= ======= ======= ======= ======= ======= == qemu-system- arm -machine highbank \ overflow on address 0x608000001c80 at pc 0x5618928c486e bp 0x7ffe22c4ee10 sp 0x7ffe22c4ee08 space_translate _iommu /home/alxndr/ Development/ qemu/general- fuzz/exec. c:451:23 do_translate /home/alxndr/ Development/ qemu/general- fuzz/exec. c:524:16 Development/ qemu/general- fuzz/exec. c:584:15 write_continue /home/alxndr/ Development/ qemu/general- fuzz/exec. c:3199: 14 Development/ qemu/general- fuzz/exec. c:3216: 14 Development/ qemu/general- fuzz/exec. c:3308: 18 command /home/alxndr/ Development/ qemu/general- fuzz/softmmu/ qtest.c: 452:13 Development/ qemu/general- fuzz/softmmu/ qtest.c: 710:9 Development/ qemu/general- fuzz/softmmu/ qtest.c: 722:5 ======= ======= ======= ======= ======= ======= ======= ======= == qemu-system- arm -machine highbank \ overflow on address 0x62b000006a92 at pc 0x55d690d980e1 bp 0x7ffe606082d0 sp 0x7ffe606082c8 Development/ qemu/general- fuzz/hw/ intc/arm_ gic.c:94: 13 Development/ qemu/general- fuzz/hw/ intc/arm_ gic.c:185: 13 Development/ qemu/general- fuzz/hw/ intc/arm_ gic.c:226: 5 Development/ qemu/general- fuzz/hw/ intc/arm_ gic.c:1758: 9 Development/ qemu/general- fuzz/hw/ intc/arm_ gic.c:1777: 12 region_ write_with_ attrs_accessor /home/alxndr/ Development/ qemu/general- fuzz/softmmu/ memory. c:503:12 with_adjusted_ size /home/alxndr/ Development/ qemu/general- fuzz/softmmu/ memory. c:544:18 region_ dispatch_ write /home/alxndr/ Development/ qemu/general- fuzz/softmmu/ memory. c:1473: 13 write_continue /home/alxndr/ Development/ qemu/general- fuzz/exec. c:3176: 23 Development/ qemu/general- fuzz/exec. c:3216: 14 Development/ qemu/general- fuzz/exec. c:3308: 18 command /home/alxndr/ Development/ qemu/general- fuzz/softmmu/ qtest.c: 447:13 Development/ qemu/general- fuzz/softmmu/ qtest.c: 710:9 Development/ qemu/general- fuzz/softmmu/ qtest.c: 722:5 be_write_ impl /home/alxndr/ Development/ qemu/general- fuzz/chardev/ char.c: 188:9 Development/ qemu/general- fuzz/chardev/ char.c: 200:9 Development/ qemu/general- fuzz/chardev/ char-fd. c:68:9 fd_source_ dispatch /home/alxndr/ Development/ qemu/general- fuzz/io/ channel- watch.c: 84:12 context_ dispatch (/usr/lib/ x86_64- linux-gnu/ libglib- 2.0.so. 0+0x4e897) Development/ qemu/general- fuzz/util/ main-loop. c:217:9 main_loop_ wait /home/alxndr/ Development/ qemu/general- fuzz/util/ main-loop. c:240:5 Development/ qemu/general- fuzz/util/ main-loop. c:516:11 Development/ qemu/general- fuzz/softmmu/ vl.c:1676: 9 Development/ qemu/general- fuzz/softmmu/ main.c: 49:5 glibc-GwnBeO/ glibc-2. 30/csu/ ../csu/ libc-start. c:308:16 alxndr/ Development/ qemu/general- fuzz/build/ arm-softmmu/ qemu-system- arm+0x3254459) ,0x62b000006a90 ) alxndr/ Development/ qemu/general- fuzz/build/ arm-softmmu/ qemu-system- arm+0x32cce4d) x86_64- linux-gnu/ libglib- 2.0.so. 0+0x54500) Development/ qemu/general- fuzz/qom/ object. c:708:12 Development/ qemu/general- fuzz/hw/ core/qdev. c:136:12 Development/ qemu/general- fuzz/hw/ arm/highbank. c:319:15 Development/ qemu/general- fuzz/hw/ arm/highbank. c:411:5 run_board_ init /home/alxndr/ Development/ qemu/general- fuzz/hw/ core/machine. c:1134: 5 Development/ qemu/general- fuzz/softmmu/ vl.c:4356: 5 Development/ qemu/general- fuzz/softmmu/ main.c: 48:5 glibc-GwnBeO/ glibc-2. 30/csu/ ../csu/ libc-start. c:308:16 /bugs.launchpad .net/qemu/ +bug/1889621/ +subscriptions
>
> writeq 0xfff11f00 0x613a650f0fda6555 does:
>
> gic_dist_write dist write at 0x00000f00 size 4: 0x0fda6555
>
> 0x0fda6555 => IRQ 341, mask type 3 illegal -> DPRINTF("Bad Soft Int
> target filter\n");
>
> mask = ALL_CPU_MASK = 0xff
>
> Having:
>
> #define GIC_NR_SGIS 16
> uint8_t sgi_pending[
>
> s->sgi_
> ^^^
> \ OOB access.
>
> ** Changed in: qemu
> Status: New => Confirmed
>
> ** Tags added: arm
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> ARM Highbank Crashes Realted to GIC
>
> Status in QEMU:
> Confirmed
>
> Bug description:
> Hello,
> Here are some QTest reproducers for crashes on ARM Highbank that all seem to be related to the gic device.
>
> Reproducer 1:
> cat << EOF | ./arm-softmmu/
> -nographic -monitor none -serial none -qtest stdio
> writel 0xfff11f00 0x8405f559
> writel 0xfff117fd 0x5c057bd8
> EOF
>
> ==10595==ERROR: AddressSanitizer: SEGV on unknown address 0x62b000013e01 (pc 0x55b6ab85cc91 bp 0x7fff60bd4d70 sp 0x7fff60bd4ce0 T0)
> ==10595==The signal is caused by a READ memory access.
> #0 0x55b6ab85cc91 in gic_get_current_cpu /home/alxndr/
> #1 0x55b6ab85e1bd in gic_dist_writeb /home/alxndr/
> #2 0x55b6ab855a97 in gic_dist_write /home/alxndr/
> #3 0x55b6aa1650d4 in memory_
> #4 0x55b6aa163ac6 in access_
> #5 0x55b6aa161f35 in memory_
> #6 0x55b6a9313949 in flatview_
> #7 0x55b6a92fca11 in flatview_write /home/alxndr/
> #8 0x55b6a92fc54e in address_space_write /home/alxndr/
> =======
>
> Reproducer 2:
> cat << EOF | ./arm-softmmu/
> -nographic -monitor none -serial none -qtest stdio
> writeq 0xfff11f00 0x613a650f0fda6555
> EOF
>
> ==1375==ERROR: AddressSanitizer: heap-buffer-
> READ of size 8 at 0x608000001c80 thread T0
> #0 0x5618928c486d in address_
> #1 0x561892850acc in flatview_
> #2 0x5618928514ad in flatview_translate /home/alxndr/
> #3 0x5618928b1e14 in flatview_
> #4 0x56189289aa11 in flatview_write /home/alxndr/
> #5 0x56189289a54e in address_space_write /home/alxndr/
> #6 0x5618937a5e13 in qtest_process_
> #7 0x56189379d89f in qtest_process_inbuf /home/alxndr/
> #8 0x56189379c680 in qtest_read /home/alxndr/
> =======
>
> Reproducer 3:
> cat << EOF | ./arm-softmmu/
> -nographic -monitor none -serial none -qtest stdio
> writeq 0xfff11000 0x700000b
> writeq 0xfff11f00 0x4f4f4fff54a7afaf
> writel 0xfff10100 0x600001ff
> EOF
>
> ==23743==ERROR: AddressSanitizer: heap-buffer-
> READ of size 1 at 0x62b000006a92 thread T0
> #0 0x55d690d980e0 in gic_get_best_irq /home/alxndr/
> #1 0x55d690d9485b in gic_update_internal /home/alxndr/
> #2 0x55d690d90376 in gic_update /home/alxndr/
> #3 0x55d690dc0879 in gic_cpu_write /home/alxndr/
> #4 0x55d690da41c0 in gic_thiscpu_write /home/alxndr/
> #5 0x55d68f6b30d4 in memory_
> #6 0x55d68f6b1ac6 in access_
> #7 0x55d68f6aff35 in memory_
> #8 0x55d68e861949 in flatview_
> #9 0x55d68e84aa11 in flatview_write /home/alxndr/
> #10 0x55d68e84a54e in address_space_write /home/alxndr/
> #11 0x55d68f755537 in qtest_process_
> #12 0x55d68f74d89f in qtest_process_inbuf /home/alxndr/
> #13 0x55d68f74c680 in qtest_read /home/alxndr/
> #14 0x55d692dddc36 in qemu_chr_
> #15 0x55d692dddd79 in qemu_chr_be_write /home/alxndr/
> #16 0x55d692df105e in fd_chr_read /home/alxndr/
> #17 0x55d692f395df in qio_channel_
> #18 0x7f69a1b50897 in g_main_
> #19 0x55d6932f5c83 in glib_pollfds_poll /home/alxndr/
> #20 0x55d6932f35b6 in os_host_
> #21 0x55d6932f2f97 in main_loop_wait /home/alxndr/
> #22 0x55d68f76c62d in qemu_main_loop /home/alxndr/
> #23 0x55d692f6f20c in main /home/alxndr/
> #24 0x7f69a06d6e0a in __libc_start_main /build/
> #25 0x55d68e753459 in _start (/home/
>
> 0x62b000006a92 is located 2 bytes to the right of 26768-byte region [0x62b000000200
> allocated by thread T0 here:
> #0 0x55d68e7cbe4d in malloc (/home/
> #1 0x7f69a1b56500 in g_malloc (/usr/lib/
> #2 0x55d69254f231 in object_new /home/alxndr/
> #3 0x55d69034bf01 in qdev_new /home/alxndr/
> #4 0x55d68f2b7aa4 in calxeda_init /home/alxndr/
> #5 0x55d68f2b6466 in highbank_init /home/alxndr/
> #6 0x55d6903d43f1 in machine_
> #7 0x55d68f77e0ee in qemu_init /home/alxndr/
> #8 0x55d692f6f207 in main /home/alxndr/
> #9 0x7f69a06d6e0a in __libc_start_main /build/
>
>
> Let me know if I can provide any further info.
> -Alex
>
> To manage notifications about this bug go to:
> https:/