[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 24ec28: spapr: fix buffer-overflow

From: GitHub
Subject: [Qemu-commits] [qemu/qemu] 24ec28: spapr: fix buffer-overflow
Date: Thu, 30 Mar 2017 07:30:10 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 24ec2863b147aadd8cbd63f87ad0467210164304
  Author: Marc-André Lureau <address@hidden>
  Date:   2017-03-29 (Wed, 29 Mar 2017)

  Changed paths:
    M hw/ppc/spapr.c

  Log Message:
  spapr: fix buffer-overflow

Running postcopy-test with ASAN produces the following error:

QTEST_QEMU_BINARY=ppc64-softmmu/qemu-system-ppc64  tests/postcopy-test
==23641==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x7f1556600000 at pc 0x55b8e9d28208 bp 0x7f1555f4d3c0 sp 0x7f1555f4d3b0
READ of size 8 at 0x7f1556600000 thread T6
    #0 0x55b8e9d28207 in htab_save_first_pass 
    #1 0x55b8e9d2939c in htab_save_iterate 
    #2 0x55b8e9beae3a in qemu_savevm_state_iterate 
    #3 0x55b8ea677733 in migration_thread 
    #4 0x7f15845f46c9 in start_thread (/lib64/libpthread.so.0+0x76c9)
    #5 0x7f157d9d0f7e in clone (/lib64/libc.so.6+0x107f7e)

0x7f1556600000 is located 0 bytes to the right of 2097152-byte region 
allocated by thread T0 here:
    #0 0x7f159bb76980 in posix_memalign (/lib64/libasan.so.3+0xc7980)
    #1 0x55b8eab185b2 in qemu_try_memalign 
    #2 0x55b8eab186c8 in qemu_memalign 
    #3 0x55b8e9d268a8 in spapr_reallocate_hpt 
    #4 0x55b8e9d26e04 in ppc_spapr_reset 
    #5 0x55b8ea12e913 in qemu_system_reset /home/elmarco/src/qq/vl.c:1697
    #6 0x55b8ea13fa40 in main /home/elmarco/src/qq/vl.c:4679
    #7 0x7f157d8e9400 in __libc_start_main (/lib64/libc.so.6+0x20400)

Thread T6 created by T0 here:
    #0 0x7f159bae0488 in __interceptor_pthread_create 
    #1 0x55b8eab1d9cb in qemu_thread_create 
    #2 0x55b8ea67874c in migrate_fd_connect 
    #3 0x55b8ea66cbb0 in migration_channel_connect 
    #4 0x55b8ea678f38 in socket_outgoing_migration 
    #5 0x55b8eaa5a03a in qio_task_complete /home/elmarco/src/qq/io/task.c:142
    #6 0x55b8eaa599cc in gio_task_thread_result 
    #7 0x7f15823e38e6  (/lib64/libglib-2.0.so.0+0x468e6)
SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/elmarco/src/qq/hw/ppc/spapr.c:1528 in htab_save_first_pass

index seems to be wrongly incremented, unless I miss something that
would be worth a comment.

Signed-off-by: Marc-André Lureau <address@hidden>
Signed-off-by: David Gibson <address@hidden>

  Commit: fe6824d12642b005c69123ecf8631f9b13553f8b
  Author: Laurent Vivier <address@hidden>
  Date:   2017-03-29 (Wed, 29 Mar 2017)

  Changed paths:
    M hw/ppc/spapr_drc.c
    M include/hw/ppc/spapr_drc.h

  Log Message:
  spapr: fix memory hot-unplugging

If, once the kernel has booted, we try to remove a memory
hotplugged while the kernel was not started, QEMU crashes on
an assert:

    qemu-system-ppc64: hw/virtio/vhost.c:651:
                 vhost_commit: Assertion `r >= 0' failed.
    #4  in vhost_commit
    #5  in memory_region_transaction_commit
    #6  in pc_dimm_memory_unplug
    #7  in spapr_memory_unplug
    #8  spapr_machine_device_unplug
    #9  in hotplug_handler_unplug
    #10 in spapr_lmb_release
    #11 in detach
    #12 in set_allocation_state
    #13 in rtas_set_indicator

If we take a closer look to the guest kernel log, we can see when
we try to unplug the memory:

    pseries-hotplug-mem: Attempting to hot-add 4 LMB(s)

What happens:

    1- The kernel has ignored the memory hotplug event because
       it was not started when it was generated.

    2- When we hot-unplug the memory,
       QEMU starts to remove the memory,
      generates an hot-unplug event,
  and signals the kernel of the incoming new event

    3- as the kernel is started, on the QEMU signal, it reads
       the event list, decodes the hotplug event and tries to
       finish the hotplugging.

    4- QEMU receive the the hotplug notification while it
       is trying to hot-unplug the memory. This moves the memory
       DRC to an invalid state

This patch prevents this by not allowing to set the allocation
state to USABLE while the DRC is awaiting release.

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1432382

Signed-off-by: Laurent Vivier <address@hidden>
Signed-off-by: David Gibson <address@hidden>

  Commit: a67ec6ee2dbb3725f4291f17b5bdca5e086108a7
  Author: Peter Maydell <address@hidden>
  Date:   2017-03-30 (Thu, 30 Mar 2017)

  Changed paths:
    M hw/ppc/spapr.c
    M hw/ppc/spapr_drc.c
    M include/hw/ppc/spapr_drc.h

  Log Message:
  Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.9-20170329' into 

ppc patch queue for 2017-03-29

Two more bugfixes of sufficient severity to warrant going into 2.9.

# gpg: Signature made Wed 29 Mar 2017 04:33:19 BST
# gpg:                using RSA key 0x6C38CACA20D9B392
# gpg: Good signature from "David Gibson <address@hidden>"
# gpg:                 aka "David Gibson (Red Hat) <address@hidden>"
# gpg:                 aka "David Gibson (ozlabs.org) <address@hidden>"
# gpg:                 aka "David Gibson (kernel.org) <address@hidden>"
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.9-20170329:
  spapr: fix memory hot-unplugging
  spapr: fix buffer-overflow

Signed-off-by: Peter Maydell <address@hidden>

Compare: https://github.com/qemu/qemu/compare/e68dd68496e8...a67ec6ee2dbb

reply via email to

[Prev in Thread] Current Thread [Next in Thread]