diff for duplicates of <c8326e26-c529-18c1-4bd2-63a5aec071fb@redhat.com> diff --git a/a/1.txt b/N1/1.txt index 90617bc..4ab4587 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -14,3 +14,46 @@ Is this framework already implemented in the hidden dma-helpers.c? Apparently this file was written for BlockBackend, but the code seems rather generic. + +-- +You received this bug notification because you are a member of qemu- +devel-ml, which is subscribed to QEMU. +https://bugs.launchpad.net/bugs/1880355 + +Title: + Length restrictions for fw_cfg_dma_transfer? + +Status in QEMU: + New + +Bug description: + For me, this takes close to 3 minutes at 100% CPU: + echo "outl 0x518 0x9596ffff" | ./i386-softmmu/qemu-system-i386 -M q35 -m 32 -nographic -accel qtest -monitor none -serial none -qtest stdio + + #0 phys_page_find (d=0x606000035d80, addr=136728041144404) at /exec.c:338 + #1 address_space_lookup_region (d=0x606000035d80, addr=136728041144404, resolve_subpage=true) at /exec.c:363 + #2 address_space_translate_internal (d=0x606000035d80, addr=136728041144404, xlat=0x7fff1fc0d070, plen=0x7fff1fc0d090, resolve_subpage=true) at /exec.c:382 + #3 flatview_do_translate (fv=0x606000035d20, addr=136728041144404, xlat=0x7fff1fc0d070, plen_out=0x7fff1fc0d090, page_mask_out=0x0, is_write=true, is_mmio=true, target_as=0x7fff1fc0ce10, attrs=...) + pment/qemu/exec.c:520 + #4 flatview_translate (fv=0x606000035d20, addr=136728041144404, xlat=0x7fff1fc0d070, plen=0x7fff1fc0d090, is_write=true, attrs=...) at /exec.c:586 + #5 flatview_write_continue (fv=0x606000035d20, addr=136728041144404, attrs=..., ptr=0x7fff1fc0d660, len=172, addr1=136728041144400, l=172, mr=0x557fd54e77e0 <io_mem_unassigned>) + pment/qemu/exec.c:3160 + #6 flatview_write (fv=0x606000035d20, addr=136728041144064, attrs=..., buf=0x7fff1fc0d660, len=512) at /exec.c:3177 + #7 address_space_write (as=0x557fd54e7a00 <address_space_memory>, addr=136728041144064, attrs=..., buf=0x7fff1fc0d660, len=512) at /exec.c:3271 + #8 dma_memory_set (as=0x557fd54e7a00 <address_space_memory>, addr=136728041144064, c=0 '\000', len=1378422272) at /dma-helpers.c:31 + #9 fw_cfg_dma_transfer (s=0x61a000001e80) at /hw/nvram/fw_cfg.c:400 + #10 fw_cfg_dma_mem_write (opaque=0x61a000001e80, addr=4, value=4294940309, size=4) at /hw/nvram/fw_cfg.c:467 + #11 memory_region_write_accessor (mr=0x61a000002200, addr=4, value=0x7fff1fc0e3d0, size=4, shift=0, mask=4294967295, attrs=...) at /memory.c:483 + #12 access_with_adjusted_size (addr=4, value=0x7fff1fc0e3d0, size=4, access_size_min=1, access_size_max=8, access_fn=0x557fd2288c80 <memory_region_write_accessor>, mr=0x61a000002200, attrs=...) + pment/qemu/memory.c:539 + #13 memory_region_dispatch_write (mr=0x61a000002200, addr=4, data=4294940309, op=MO_32, attrs=...) at /memory.c:1476 + #14 flatview_write_continue (fv=0x606000035f00, addr=1304, attrs=..., ptr=0x7fff1fc0ec40, len=4, addr1=4, l=4, mr=0x61a000002200) at /exec.c:3137 + #15 flatview_write (fv=0x606000035f00, addr=1304, attrs=..., buf=0x7fff1fc0ec40, len=4) at /exec.c:3177 + #16 address_space_write (as=0x557fd54e7bc0 <address_space_io>, addr=1304, attrs=..., buf=0x7fff1fc0ec40, len=4) at /exec.c:3271 + + + It looks like fw_cfg_dma_transfer gets the address(136728041144064) and length(1378422272) for the read from the value provided as input 4294940309 (0xFFFF9695) which lands in pcbios. Should there be any limits on the length of guest-memory that fw_cfg should populate? + Found by libfuzzer + +To manage notifications about this bug go to: +https://bugs.launchpad.net/qemu/+bug/1880355/+subscriptions diff --git a/a/content_digest b/N1/content_digest index 0492d03..4fb969a 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -8,26 +8,16 @@ "ref\0CAFEAcA83E33xNjhXvbZr9oe7TO9kMa0nArroCA_mY3zy+0bq2g\@mail.gmail.com\0" ] [ - "From\0Philippe Mathieu-Daud\303\251 <philmd\@redhat.com>\0" + "From\0Philippe Mathieu-Daud\303\251 <1880355\@bugs.launchpad.net>\0" ] [ "Subject\0Re: [Bug 1880355] [NEW] Length restrictions for fw_cfg_dma_transfer?\0" ] [ - "Date\0Sun, 24 May 2020 16:27:48 +0200\0" + "Date\0Sun, 24 May 2020 14:27:48 -0000\0" ] [ - "To\0Peter Maydell <peter.maydell\@linaro.org>\0" -] -[ - "Cc\0Michael S. Tsirkin <mst\@redhat.com>", - " Mark Cave-Ayland <mark.cave-ayland\@ilande.co.uk>", - " QEMU Developers <qemu-devel\@nongnu.org>", - " Bug 1880355 <1880355\@bugs.launchpad.net>", - " Gerd Hoffmann <kraxel\@redhat.com>", - " Stefan Hajnoczi <stefanha\@redhat.com>", - " Paolo Bonzini <pbonzini\@redhat.com>", - " Laszlo Ersek <lersek\@redhat.com>\0" + "To\0qemu-devel\@nongnu.org\0" ] [ "\0000:1\0" @@ -51,7 +41,50 @@ "Is this framework already implemented in the hidden dma-helpers.c?\n", "\n", "Apparently this file was written for BlockBackend, but the code seems\n", - "rather generic." + "rather generic.\n", + "\n", + "-- \n", + "You received this bug notification because you are a member of qemu-\n", + "devel-ml, which is subscribed to QEMU.\n", + "https://bugs.launchpad.net/bugs/1880355\n", + "\n", + "Title:\n", + " Length restrictions for fw_cfg_dma_transfer?\n", + "\n", + "Status in QEMU:\n", + " New\n", + "\n", + "Bug description:\n", + " For me, this takes close to 3 minutes at 100% CPU:\n", + " echo \"outl 0x518 0x9596ffff\" | ./i386-softmmu/qemu-system-i386 -M q35 -m 32 -nographic -accel qtest -monitor none -serial none -qtest stdio\n", + "\n", + " #0 phys_page_find (d=0x606000035d80, addr=136728041144404) at /exec.c:338\n", + " #1 address_space_lookup_region (d=0x606000035d80, addr=136728041144404, resolve_subpage=true) at /exec.c:363\n", + " #2 address_space_translate_internal (d=0x606000035d80, addr=136728041144404, xlat=0x7fff1fc0d070, plen=0x7fff1fc0d090, resolve_subpage=true) at /exec.c:382\n", + " #3 flatview_do_translate (fv=0x606000035d20, addr=136728041144404, xlat=0x7fff1fc0d070, plen_out=0x7fff1fc0d090, page_mask_out=0x0, is_write=true, is_mmio=true, target_as=0x7fff1fc0ce10, attrs=...)\n", + " pment/qemu/exec.c:520\n", + " #4 flatview_translate (fv=0x606000035d20, addr=136728041144404, xlat=0x7fff1fc0d070, plen=0x7fff1fc0d090, is_write=true, attrs=...) at /exec.c:586\n", + " #5 flatview_write_continue (fv=0x606000035d20, addr=136728041144404, attrs=..., ptr=0x7fff1fc0d660, len=172, addr1=136728041144400, l=172, mr=0x557fd54e77e0 <io_mem_unassigned>)\n", + " pment/qemu/exec.c:3160\n", + " #6 flatview_write (fv=0x606000035d20, addr=136728041144064, attrs=..., buf=0x7fff1fc0d660, len=512) at /exec.c:3177\n", + " #7 address_space_write (as=0x557fd54e7a00 <address_space_memory>, addr=136728041144064, attrs=..., buf=0x7fff1fc0d660, len=512) at /exec.c:3271\n", + " #8 dma_memory_set (as=0x557fd54e7a00 <address_space_memory>, addr=136728041144064, c=0 '\\000', len=1378422272) at /dma-helpers.c:31\n", + " #9 fw_cfg_dma_transfer (s=0x61a000001e80) at /hw/nvram/fw_cfg.c:400\n", + " #10 fw_cfg_dma_mem_write (opaque=0x61a000001e80, addr=4, value=4294940309, size=4) at /hw/nvram/fw_cfg.c:467\n", + " #11 memory_region_write_accessor (mr=0x61a000002200, addr=4, value=0x7fff1fc0e3d0, size=4, shift=0, mask=4294967295, attrs=...) at /memory.c:483\n", + " #12 access_with_adjusted_size (addr=4, value=0x7fff1fc0e3d0, size=4, access_size_min=1, access_size_max=8, access_fn=0x557fd2288c80 <memory_region_write_accessor>, mr=0x61a000002200, attrs=...)\n", + " pment/qemu/memory.c:539\n", + " #13 memory_region_dispatch_write (mr=0x61a000002200, addr=4, data=4294940309, op=MO_32, attrs=...) at /memory.c:1476\n", + " #14 flatview_write_continue (fv=0x606000035f00, addr=1304, attrs=..., ptr=0x7fff1fc0ec40, len=4, addr1=4, l=4, mr=0x61a000002200) at /exec.c:3137\n", + " #15 flatview_write (fv=0x606000035f00, addr=1304, attrs=..., buf=0x7fff1fc0ec40, len=4) at /exec.c:3177\n", + " #16 address_space_write (as=0x557fd54e7bc0 <address_space_io>, addr=1304, attrs=..., buf=0x7fff1fc0ec40, len=4) at /exec.c:3271\n", + "\n", + " \n", + " It looks like fw_cfg_dma_transfer gets the address(136728041144064) and length(1378422272) for the read from the value provided as input 4294940309 (0xFFFF9695) which lands in pcbios. Should there be any limits on the length of guest-memory that fw_cfg should populate?\n", + " Found by libfuzzer\n", + "\n", + "To manage notifications about this bug go to:\n", + "https://bugs.launchpad.net/qemu/+bug/1880355/+subscriptions" ] -2e5ba245a6dd17632fef28df87b35bf963ca9f81dd6d271bfa2e5348b1da90fe +acad2f9060a3338c10e1c9cfead5ba8d6669648c66ac031cd3be389b58773d8b
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.