[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 1729501] Re: qemu crashes with assertion error `off_cu
|
From: |
Liang Dai |
|
Subject: |
[Qemu-devel] [Bug 1729501] Re: qemu crashes with assertion error `off_cur_end >= off_cur' failed |
|
Date: |
Mon, 06 Nov 2017 07:28:03 -0000 |
Hi Gerd,
Would you please take a look at this patch, testing shows it prevents
these crashes. I'm not an expert, just to give you more information.
I cannot public the fuzzer program, if you need to gather more
diagnostic information or try test patches, I'm happy to help.
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 1d19f6b..ab6cd47 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1240,6 +1240,24 @@ static void vga_draw_text(VGACommonState *s, int
full_update)
palette = s->last_palette;
x_incr = cw * surface_bytes_per_pixel(surface);
+ /*
+ * In theory, line_offset = width * 4, if line_offset is
+ * less than width * 4, then afterwards, memory operation
+ * on server surface might overflow
+ */
+ if (s->line_offset < 4 * width) {
+ s->line_offset = 4 * width;
+ line_offset = s->line_offset;
+ }
+
+ /*
+ * The above if statement might introduce overflow since it
+ * might increase s->line_offset
+ */
+ if (s->start_addr * 4 + line_offset * height >= s->vram_size) {
+ height = (s->vram_size - 1 - s->start_addr * 4) / line_offset;
+ }
+
if (full_update) {
s->full_update_text = 1;
}
@@ -1464,7 +1482,7 @@ static void vga_draw_graphic(VGACommonState *s, int
full_update)
{
DisplaySurface *surface = qemu_console_surface(s->con);
int y1, y, update, linesize, y_start, double_scan, mask, depth;
- int width, height, shift_control, bwidth, bits;
+ int width, height, shift_control, bwidth, bits, bpp;
ram_addr_t page0, page1, region_start, region_end;
DirtyBitmapSnapshot *snap = NULL;
int disp_width, multi_scan, multi_run;
@@ -1522,6 +1540,13 @@ static void vga_draw_graphic(VGACommonState *s, int
full_update)
}
depth = s->get_bpp(s);
+ bpp = depth / 8;
+ if (s->line_offset < disp_width * bpp) {
+ s->line_offset = disp_width * bpp;
+ }
+ if (s->start_addr * 4 + s->line_offset * height >= s->vram_size) {
+ height = (s->vram_size - 1 - s->start_addr * 4) / s->line_offset;
+ }
/*
* Check whether we can share the surface with the backend
@@ -1717,7 +1742,7 @@ static void vga_draw_graphic(VGACommonState *s, int
full_update)
static void vga_draw_blank(VGACommonState *s, int full_update)
{
DisplaySurface *surface = qemu_console_surface(s->con);
- int i, w;
+ int i, h, w;
uint8_t *d;
if (!full_update)
@@ -1727,12 +1752,16 @@ static void vga_draw_blank(VGACommonState *s, int
full_update)
w = s->last_scr_width * surface_bytes_per_pixel(surface);
d = surface_data(surface);
+ if (w > surface_stride(surface)) {
+ w = surface_stride(surface);
+ }
+ h = MIN(s->last_scr_height, surface_height(surface));
for(i = 0; i < s->last_scr_height; i++) {
memset(d, 0, w);
d += surface_stride(surface);
}
dpy_gfx_update(s->con, 0, 0,
- s->last_scr_width, s->last_scr_height);
+ w, h);
}
#define GMODE_TEXT 0
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1729501
Title:
qemu crashes with assertion error `off_cur_end >= off_cur' failed
Status in QEMU:
New
Bug description:
My host environment: Xen + QEMU
git clones today's xen git and qemu git (2017-11-02)
xen -- git://xenbits.xen.org/xen.git
commit 24fb44e971a62b345c7b6ca3c03b454a1e150abe
qemu -- https://github.com/qemu/qemu
commit 47ba789c97c8d201d01058b00a14d8a9a85fcfe9
QEMU was compiled using:
./configure --prefix=/mnt/bin/ --enable-xen --target-list=i386-softmmu
--extra-cflags="-I/mnt/xen/tools/include -I/mnt/xen/tools/libxc
-I/mnt/xen/tools/xenstore" --extra-ldflags="-L/mnt/xen/tools/libxc
-L/mnt/xen/tools/xenstore" --enable-debug --enable-debug-stack-usage
Xen was configured with the above QEMU distribution:
./configure --with-system-qemu=/mnt/bin/bin/qemu-system-i386
QEMU command line:
/mnt/bin/bin/qemu-system-i386 -xen-domid 28 -chardev
socket,id=libxl-cmd,path=/var/run/xen/qmp-libxl-28,server,nowait -no-shutdown
-mon chardev=libxl-cmd,mode=control -chardev
socket,id=libxenstat-cmd,path=/var/run/xen/qmp-libxenstat-28,server,nowait -mon
chardev=libxenstat-cmd,mode=control -nodefaults -no-user-config -name ubu_hvm
-vnc 0.0.0.0:1,to=99 -display none -serial pty -device cirrus-vga,vgamem_mb=8
-boot order=c -smp 2,maxcpus=2 -device
rtl8139,id=nic0,netdev=net0,mac=00:16:3e:74:34:32 -netdev
type=tap,id=net0,ifname=vif28.0-emu,script=no,downscript=no -device
rtl8139,id=nic1,netdev=net1,mac=00:16:3e:5f:48:e4 -netdev
type=tap,id=net1,ifname=vif28.1-emu,script=no,downscript=no -machine xenfv -m
1504 -drive
file=/mnt/10G.hdd,if=ide,index=0,media=disk,format=raw,cache=writeback
Produce:
I run a fuzzer program in guest vm, it may set incorrect values for graphics
registers, sequencer registers and other registers.
Seeing the following error from /var/log/xen/qemu-dm-<vm-name>.log:
qemu-system-i386: hw/display/cirrus_vga.c:712: cirrus_invalidate_region:
Assertion `off_cur_end >= off_cur' failed.
I can reproduce it at anytime, if you need to gather more diagnostic
information or try test patches, I'm happy to help.
gdb bt:
#0 0x00007f81a64f8c37 in __GI_raise (address@hidden) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007f81a64fc028 in __GI_abort () at abort.c:89
#2 0x00007f81a64f1bf6 in __assert_fail_base (fmt=0x7f81a6646018 "%s%s%s:%u:
%s%sAssertion `%s' failed.\n%n",
address@hidden "off_cur_end >= off_cur", address@hidden
"hw/display/cirrus_vga.c", address@hidden,
address@hidden <__PRETTY_FUNCTION__.40643> "cirrus_invalidate_region") at
assert.c:92
#3 0x00007f81a64f1ca2 in __GI___assert_fail (assertion=0x55d70cf8cdf2
"off_cur_end >= off_cur", file=0x55d70cf8cda9 "hw/display/cirrus_vga.c",
line=712,
function=0x55d70cf8db60 <__PRETTY_FUNCTION__.40643>
"cirrus_invalidate_region") at assert.c:101
#4 0x000055d70cb66445 in cirrus_invalidate_region (s=0x55d70ee3a4b0,
off_begin=4190568, off_pitch=1842, bytesperline=5056, lines=2922) at
hw/display/cirrus_vga.c:712
#5 0x000055d70cb6660c in cirrus_bitblt_common_patterncopy (s=0x55d70ee3a4b0)
at hw/display/cirrus_vga.c:752
#6 0x000055d70cb6676d in cirrus_bitblt_videotovideo_patterncopy
(s=0x55d70ee3a4b0) at hw/display/cirrus_vga.c:786
#7 0x000055d70cb670c5 in cirrus_bitblt_videotovideo (s=0x55d70ee3a4b0) at
hw/display/cirrus_vga.c:986
#8 0x000055d70cb678bf in cirrus_bitblt_start (s=0x55d70ee3a4b0) at
hw/display/cirrus_vga.c:1136
#9 0x000055d70cb6880b in cirrus_vga_write_gr (s=0x55d70ee3a4b0,
reg_index=42, reg_value=228) at hw/display/cirrus_vga.c:1652
#10 0x000055d70cb6ab86 in cirrus_vga_ioport_write (opaque=0x55d70ee3a4b0,
addr=975, val=228, size=1) at hw/display/cirrus_vga.c:2754
#11 0x000055d70c91d9c0 in memory_region_write_accessor (mr=0x55d70ee4af70,
addr=31, value=0x7fffdaaeaf38, size=1, shift=8, mask=255, attrs=...)
at /mnt/qemu/memory.c:560
#12 0x000055d70c91dc3a in access_with_adjusted_size (addr=30,
value=0x7fffdaaeaf38, size=2, access_size_min=1, access_size_max=1,
access_fn=0x55d70c91d8c9 <memory_region_write_accessor>,
mr=0x55d70ee4af70, attrs=...) at /mnt/qemu/memory.c:627
#13 0x000055d70c920f48 in memory_region_dispatch_write (mr=0x55d70ee4af70,
addr=30, data=58410, size=2, attrs=...) at /mnt/qemu/memory.c:1503
#14 0x000055d70c8c51e0 in flatview_write_continue (fv=0x55d70ecb66d0,
addr=974, attrs=..., buf=0x7fffdaaeb0f0 "*\344W\026\377\177", len=4, addr1=30,
l=2,
mr=0x55d70ee4af70) at /mnt/qemu/exec.c:2951
#15 0x000055d70c8c5390 in flatview_write (fv=0x55d70ecb66d0, addr=974,
attrs=..., buf=0x7fffdaaeb0f0 "*\344W\026\377\177", len=4) at
/mnt/qemu/exec.c:3002
#16 0x000055d70c8c5406 in address_space_write (as=0x55d70d70d5e0
<address_space_io>, addr=974, attrs=..., buf=0x7fffdaaeb0f0
"*\344W\026\377\177", len=4)
at /mnt/qemu/exec.c:3014
#17 0x000055d70c914fb3 in cpu_outl (addr=974, val=374858794) at
/mnt/qemu/ioport.c:81
#18 0x000055d70ca0253f in do_outp (addr=974, size=4, val=374858794) at
/mnt/qemu/hw/i386/xen/xen-hvm.c:782
#19 0x000055d70ca02888 in cpu_ioreq_pio (req=0x7fffdaaeb210) at
/mnt/qemu/hw/i386/xen/xen-hvm.c:852
#20 0x000055d70ca02f2e in handle_ioreq (state=0x55d70e0cf3d0,
req=0x7fffdaaeb210) at /mnt/qemu/hw/i386/xen/xen-hvm.c:961
#21 0x000055d70ca0343e in cpu_handle_ioreq (opaque=0x55d70e0cf3d0) at
/mnt/qemu/hw/i386/xen/xen-hvm.c:1089
#22 0x000055d70ce75d69 in aio_dispatch_handlers (ctx=0x55d70e098550) at
util/aio-posix.c:406
#23 0x000055d70ce75f0b in aio_dispatch (ctx=0x55d70e098550) at
util/aio-posix.c:437
#24 0x000055d70ce70b46 in aio_ctx_dispatch (source=0x55d70e098550,
callback=0x0, user_data=0x0) at util/async.c:261
#25 0x00007f81a7215e04 in g_main_context_dispatch () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#26 0x000055d70ce74455 in glib_pollfds_poll () at util/main-loop.c:214
#27 0x000055d70ce7456a in os_host_main_loop_wait (timeout=16061710) at
util/main-loop.c:261
#28 0x000055d70ce7463f in main_loop_wait (nonblocking=0) at
util/main-loop.c:515
#29 0x000055d70ca8e6a6 in main_loop () at vl.c:1995
#30 0x000055d70ca96815 in main (argc=42, argv=0x7fffdaaeb888,
envp=0x7fffdaaeb9e0) at vl.c:4897
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1729501/+subscriptions