QEMU

  1. Bug #1912780
  2. Comment #2

Comment 2 for bug 1912780

Revision history for this message
P J P (pjps) wrote :

The given reproducer does not seem to work as expected to trigger this issue.
IIUC, issue occurs because a privileged guest user may change the selected
floppy drive via FD_REG_DOR:fdctrl_write_dor() ioport write command

  static void fdctrl_write_dor(FDCtrl *fdctrl, uint32_t value)
  {
      ...
      /* Selected drive */
      fdctrl->cur_drv = value & FD_DOR_SELMASK; <= selected drive changes based on 'value'
      ...
  }

Little tweaking of parameters under gdb reproduces the crash

$ gdb --args ./bin/qemu-system-x86_64 -runas test -nographic -enable-kvm -m 2048
   -drive file=fdc.img,format=qcow2,if=floppy,id=myfdc /var/lib/libvirt/images/f27vm.qcow2
...
==541702==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000034c (pc 0x55555938377f bp 0x7fff6f3fdeb0 sp 0x7fff6f3fdea0 T3)
==541702==The signal is caused by a WRITE memory access.
==541702==Hint: address points to the zero page.
    #0 0x55555938377f in blk_inc_in_flight ../block/block-backend.c:1356
    #1 0x55555938325b in blk_prw ../block/block-backend.c:1328
    #2 0x555559384ec5 in blk_pread ../block/block-backend.c:1491
    #3 0x555557d7c798 in fdctrl_read_data ../hw/block/fdc.c:1919
    #4 0x555557d7207c in fdctrl_read ../hw/block/fdc.c:936
    #5 0x555558ee7c40 in portio_read ../softmmu/ioport.c:179
    #6 0x555558c9a0c1 in memory_region_read_accessor ../softmmu/memory.c:442
    #7 0x555558c9af04 in access_with_adjusted_size ../softmmu/memory.c:552
    #8 0x555558ca7159 in memory_region_dispatch_read1 ../softmmu/memory.c:1420
    #9 0x555558ca7433 in memory_region_dispatch_read ../softmmu/memory.c:1449
    #10 0x555558f6214e in flatview_read_continue ../softmmu/physmem.c:2822
    #11 0x555558f62560 in flatview_read ../softmmu/physmem.c:2862
    #12 0x555558f62700 in address_space_read_full ../softmmu/physmem.c:2875
    #13 0x555558f62977 in address_space_rw ../softmmu/physmem.c:2903
    #14 0x555558d037b9 in kvm_handle_io ../accel/kvm/kvm-all.c:2285
    #15 0x555558d05a4b in kvm_cpu_exec ../accel/kvm/kvm-all.c:2531
    #16 0x555558ee0efa in kvm_vcpu_thread_fn ../accel/kvm/kvm-cpus.c:49
    #17 0x55555977ec18 in qemu_thread_start ../util/qemu-thread-posix.c:521
    #18 0x7ffff63323f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
    #19 0x7ffff625f902 in __GI___clone (/lib64/libc.so.6+0x101902)