qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 1713825] Re: Booting Windows 2016 with qxl video crash

From: Gerd Hoffmann
Subject: [Qemu-devel] [Bug 1713825] Re: Booting Windows 2016 with qxl video crashes qemu
Date: Wed, 15 Nov 2017 07:43:27 -0000 
Guest triggerable assert() isn't exactly nice indeed.
But it's not a show stopper.
It doesn't allow exploiting the host, the guest can only DoS itself.
And you must be priviledged in the guest to do so.

Most likely this is the driver placing the qxl commands in the wrong pci
bar.  See commit 86dbcdd9c7590d06db89ca256c5eaf0b4aba8858.  Seems the
impact is more than breaking live migration.  So, I can raise a error
irq and have qxl enter guest bug mode.  That doesn't improve the
situation much though, the guest will continue running but you will have
broken display ...

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1713825

Title:
  Booting Windows 2016 with qxl video crashes qemu

Status in QEMU:
  New

Bug description:
  launched from libvirt.

  qemu version: 2.9.0
  host: Linux <hostname> 4.9.34-gentoo #1 SMP Sat Jul 29 13:28:43 PDT 2017 
x86_64 Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz GenuineIntel GNU/Linux
  guest: Windows 2016 64 bit

  Thread 28 (Thread 0x7f0e2edff700 (LWP 29860)):
  #0  __GI_raise (address@hidden) at ../sysdeps/unix/sysv/linux/raise.c:51
          set = {__val = {18446744067266837079, 139698892694944, 
139699853745096, 139700858749789, 4222451712, 139694281220640, 139694281220741, 
139694281220640, 139694281220640, 139694281220810, 
              139694281220940, 139694281220640, 139694281220940, 0, 0, 0}}
          pid = <optimized out>
          tid = <optimized out>
  #1  0x00007f0ea40b644a in __GI_abort () at abort.c:89
          save_stage = 2
          act = {__sigaction_handler = {sa_handler = 0x7f0e2edfe5c0, 
sa_sigaction = 0x7f0e2edfe5c0}, sa_mask = {__val = {139694281219872, 
139698106269697, 139698892695344, 4, 2676511744, 0, 139698892695144, 0, 
                139698892694912, 1, 4737316546111099904, 139700859888720, 
4737316546111099904, 139700862161824, 139700911349760, 94211934977482}}, 
sa_flags = 416, 
            sa_restorer = 0x55af6ceb0500 <__PRETTY_FUNCTION__.36381>}
          sigs = {__val = {32, 0 <repeats 15 times>}}
  #2  0x00007f0ea40abab6 in __assert_fail_base (fmt=<optimized out>, 
address@hidden "offset < qxl->vga.vram_size", 
      address@hidden 
"/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c",
 address@hidden, 
      address@hidden <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at 
assert.c:92
          str = 0x7f0d1c026220 "\340r\002\034\r\177"
          total = 4096
  #3  0x00007f0ea40abb81 in __GI___assert_fail (address@hidden "offset < 
qxl->vga.vram_size", 
      address@hidden 
"/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c",
 address@hidden, 
      address@hidden <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at 
assert.c:101
  No locals.
  #4  0x000055af6cc58805 in qxl_ram_set_dirty (qxl=<optimized out>, 
ptr=<optimized out>) at 
/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:416
          base = <optimized out>
          offset = <optimized out>
          qxl = <optimized out>
          ptr = <optimized out>
          base = <optimized out>
          offset = <optimized out>
  #5  0x000055af6cc5b9e2 in interface_release_resource (sin=0x55af71a91ed0, 
ext=...) at 
/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:767
          qxl = 0x55af71a91450
          ring = <optimized out>
          item = <optimized out>
          id = 18446690739814400920
          __func__ = "interface_release_resource"
  #6  0x00007f0ea510afa8 in red_drawable_unref (red_drawable=0x7f0d1c026120) at 
red-worker.c:101
  No locals.
  #7  0x00007f0ea510b609 in red_drawable_unref (red_drawable=<optimized out>) 
at red-worker.c:104
  No locals.
  #8  0x00007f0ea510eae9 in drawable_unref (address@hidden) at 
display-channel.c:1438
          display = 0x55af71dbd3c0
          __FUNCTION__ = "drawable_unref"
  #9  0x00007f0ea51109f7 in draw_until (address@hidden, address@hidden, 
last=0x7f0e68285ac0) at display-channel.c:1637
          container = 0x0
          now = 0x7f0e68285ac0
  #10 0x00007f0ea510f93f in display_channel_draw (display=0x55af71dbd3c0, 
area=0x7f0e2edfe8e0, surface_id=<optimized out>) at display-channel.c:1729
          surface = 0x7f0e6828aae8
          last = <optimized out>
          __FUNCTION__ = "display_channel_draw"
          __func__ = "display_channel_draw"

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1713825/+subscriptions
reply via email to
[Prev in Thread] Current Thread [Next in Thread]