QEMU

QEMU crashes on ioport access

Bug #994662 reported by Sasha Levin on 2012-05-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Expired	High	Unassigned

Bug Description

While running a fuzzer inside the guest, QEMU crashed with the following message and dumped the state of all vcpus:

qemu: hardware error: register_ioport_read: invalid opaque for address 0x0Al
CPU #0:
RAX=ffff880007a73000 RBX=ffff8800095b6000 RCX=ffff880007a33530 RDX=ffff880007a33530
RSI=0000000000aa6000 RDI=0000000000aa6000 RBP=ffff880007c13c68 RSP=ffff880007c13c48
R8 =0000000000000000 R9 =0000000000000000 R10=0000000000000000 R11=0000000000000001
R12=0000000000aa6000 R13=8000000033556045 R14=0000000000aa6000 R15=ffff8800095b6000
RIP=ffffffff8108ae02 RFL=00000282 [--S----] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00000000
FS =0000 00007f7de18e8700 ffffffff 00000000
GS =0000 ffff88000d800000 ffffffff 00000000
LDT=0000 0000000000000000 ffffffff 00000000
TR =0040 ffff88000d9d2540 00002087 00008b00 DPL=0 TSS64-busy
GDT= ffff88000d804000 0000007f
IDT= ffffffff8436d000 00000fff
CR0=8005003b CR2=00007f2f25752e9c CR3=0000000007a3d000 CR4=000407f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000000ff0000000000ff00000000 XMM01=25252525252525252525252525252525
XMM02=00000000000000000000000000000000 XMM03=ffff0000000000000000000000000000
XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000
CPU #1:
RAX=ffff88001b588000 RBX=ffffea00004ab300 RCX=ffffc90000304000 RDX=0000000000000005
RSI=ffffc90000304000 RDI=0050000000380028 RBP=ffff880012681c38 RSP=ffff880012681c28
R8 =0000000000000000 R9 =0000000000000000 R10=0000000000000000 R11=0000000000000002
R12=0000000000000004 R13=ffff88001bfd3000 R14=0000000000fef000 R15=ffff88000ed51000
RIP=ffffffff811daf87 RFL=00000006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00000000
FS =0000 00007fe38bb99700 ffffffff 00000000
GS =0000 ffff88001b800000 ffffffff 00000000
LDT=0000 0000000000000000 ffffffff 00000000
TR =0040 ffff88001b9d2540 00002087 00008b00 DPL=0 TSS64-busy
GDT= ffff88001b804000 0000007f
IDT= ffffffff8436d000 00000fff
CR0=8005003b CR2=00007f2f25ac4518 CR3=000000001173e000 CR4=000407e0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000000000000ff0000ff000000ff XMM01=25252525252525252525252525252525
XMM02=00000000000000000000000000000000 XMM03=0000ff000000ff0000000000ff000000
XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000
CPU #2:
RAX=000000000000001d RBX=0000000000000080 RCX=0000000000000080 RDX=0000000000000cfc
RSI=0000000000000000 RDI=0000000000000086 RBP=ffff8800121f7de8 RSP=ffff8800121f7db8
R8 =0000000000000004 R9 =000000000000001d R10=0000000000000000 R11=0000000000000002
R12=ffff88001b7b0000 R13=000000000000001d R14=0000000000000084 R15=ffff88003523ad00
RIP=ffffffff82870591 RFL=00000046 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00000000
FS =0000 00007f2f25ce7700 ffffffff 00000000
GS =0000 ffff880029800000 ffffffff 00000000
LDT=0000 0000000000000000 ffffffff 00000000
TR =0040 ffff8800299d2540 00002087 00008b00 DPL=0 TSS64-busy
GDT= ffff880029804000 0000007f
IDT= ffffffff8436d000 00000fff
CR0=80050033 CR2=00007f2f25750003 CR3=0000000011b88000 CR4=000407e0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000000000000ff0000ff000000ff XMM01=25252525252525252525252525252525
XMM02=00000000000000000000000000000000 XMM03=0000ff000000ff0000000000ff000000
XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000
CPU #3:
RAX=0000000000000086 RBX=0000000000000086 RCX=0000000000000001 RDX=ffff88001afb3000
RSI=0000000000000001 RDI=ffffffff810f1904 RBP=ffff88001afb9c50 RSP=ffff88001afb9c38
R8 =0000000000000000 R9 =0000000000000001 R10=0000000000000000 R11=0000000000000001
R12=ffff88001afb38e0 R13=0000000000000001 R14=ffffffff82d967a8 R15=ffffffff82d967a8
RIP=ffffffff811171ee RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00000000
FS =0000 0000000000000000 ffffffff 00000000
GS =0000 ffff880035a00000 ffffffff 00000000
LDT=0000 0000000000000000 ffffffff 00000000
TR =0040 ffff880035bd2540 00002087 00008b00 DPL=0 TSS64-busy
GDT= ffff880035a04000 0000007f
IDT= ffffffff8436d000 00000fff
CR0=8005003b CR2=0000000000af7130 CR3=000000002cffb000 CR4=000407e0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000000000000ff0000ff000000ff XMM01=25252525252525252525252525252525
XMM02=00000000000000000000000000000000 XMM03=0000ff000000ff0000000000ff000000
XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000

And this is the trace:

Thread 5 (Thread 0x7fffee7b8700 (LWP 1754)):
#0 0x00007ffff40d3ad5 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007ffff40d4f56 in *__GI_abort () at abort.c:93
#2 0x000055555572a0fa in hw_error (fmt=<optimized out>) at /home/sasha/work/src/qemu-kvm/cpus.c:357
#3 0x0000555555750265 in register_ioport_read (start=<optimized out>, length=<optimized out>, size=<optimized out>,
    func=<optimized out>, opaque=<optimized out>) at /home/sasha/work/src/qemu-kvm/ioport.c:154
#4 0x0000555555750364 in ioport_register (ioport=0x5555565401b8) at /home/sasha/work/src/qemu-kvm/ioport.c:240
#5 0x000055555575e910 in access_with_adjusted_size (addr=0, value=0x7fffee7b7db8, size=4, access_size_min=<optimized out>,
    access_size_max=<optimized out>, access=0x55555575e830 <memory_region_write_accessor>, opaque=0x5555564c1eb0)
    at /home/sasha/work/src/qemu-kvm/memory.c:359
#6 0x0000555555760212 in memory_region_iorange_write (iorange=<optimized out>, offset=0, width=4, data=29)
    at /home/sasha/work/src/qemu-kvm/memory.c:436
#7 0x000055555575375d in kvm_handle_io (count=1, size=4, direction=1025, data=<optimized out>, port=3324)
    at /home/sasha/work/src/qemu-kvm/kvm-all.c:1132
#8 kvm_cpu_exec (env=0x55555648b810) at /home/sasha/work/src/qemu-kvm/kvm-all.c:1274
#9 0x0000555555729781 in qemu_kvm_cpu_thread_fn (arg=0x55555648b810) at /home/sasha/work/src/qemu-kvm/cpus.c:733
#10 0x00007ffff647ad0c in start_thread (arg=0x7fffee7b8700) at pthread_create.c:301
#11 0x00007ffff417af1d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Anthony Liguori (anthony-codemonkey) on 2012-05-04

security vulnerability:	yes → no
visibility:	private → public

Revision history for this message

Thomas Huth (th-huth) wrote on 2017-05-01:

Has this issue been fixed or can it still be reproduced with the latest version of QEMU?

Changed in qemu:
status:	New → Incomplete
importance:	Undecided → High

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-07-01:

[Expired for QEMU because there has been no activity for 60 days.]

Changed in qemu:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.