haraldwolff/qemu-patch-raspberry4
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
qemu-patch-raspberry4/hw
History
Marc-André Lureau 24ec2863b1 spapr: fix buffer-overflow 
Running postcopy-test with ASAN produces the following error:

QTEST_QEMU_BINARY=ppc64-softmmu/qemu-system-ppc64  tests/postcopy-test
...
=================================================================
==23641==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1556600000 at pc 0x55b8e9d28208 bp 0x7f1555f4d3c0 sp 0x7f1555f4d3b0
READ of size 8 at 0x7f1556600000 thread T6
    #0 0x55b8e9d28207 in htab_save_first_pass /home/elmarco/src/qq/hw/ppc/spapr.c:1528
    #1 0x55b8e9d2939c in htab_save_iterate /home/elmarco/src/qq/hw/ppc/spapr.c:1665
    #2 0x55b8e9beae3a in qemu_savevm_state_iterate /home/elmarco/src/qq/migration/savevm.c:1044
    #3 0x55b8ea677733 in migration_thread /home/elmarco/src/qq/migration/migration.c:1976
    #4 0x7f15845f46c9 in start_thread (/lib64/libpthread.so.0+0x76c9)
    #5 0x7f157d9d0f7e in clone (/lib64/libc.so.6+0x107f7e)

0x7f1556600000 is located 0 bytes to the right of 2097152-byte region [0x7f1556400000,0x7f1556600000)
allocated by thread T0 here:
    #0 0x7f159bb76980 in posix_memalign (/lib64/libasan.so.3+0xc7980)
    #1 0x55b8eab185b2 in qemu_try_memalign /home/elmarco/src/qq/util/oslib-posix.c:106
    #2 0x55b8eab186c8 in qemu_memalign /home/elmarco/src/qq/util/oslib-posix.c:122
    #3 0x55b8e9d268a8 in spapr_reallocate_hpt /home/elmarco/src/qq/hw/ppc/spapr.c:1214
    #4 0x55b8e9d26e04 in ppc_spapr_reset /home/elmarco/src/qq/hw/ppc/spapr.c:1261
    #5 0x55b8ea12e913 in qemu_system_reset /home/elmarco/src/qq/vl.c:1697
    #6 0x55b8ea13fa40 in main /home/elmarco/src/qq/vl.c:4679
    #7 0x7f157d8e9400 in __libc_start_main (/lib64/libc.so.6+0x20400)

Thread T6 created by T0 here:
    #0 0x7f159bae0488 in __interceptor_pthread_create (/lib64/libasan.so.3+0x31488)
    #1 0x55b8eab1d9cb in qemu_thread_create /home/elmarco/src/qq/util/qemu-thread-posix.c:465
    #2 0x55b8ea67874c in migrate_fd_connect /home/elmarco/src/qq/migration/migration.c:2096
    #3 0x55b8ea66cbb0 in migration_channel_connect /home/elmarco/src/qq/migration/migration.c:500
    #4 0x55b8ea678f38 in socket_outgoing_migration /home/elmarco/src/qq/migration/socket.c:87
    #5 0x55b8eaa5a03a in qio_task_complete /home/elmarco/src/qq/io/task.c:142
    #6 0x55b8eaa599cc in gio_task_thread_result /home/elmarco/src/qq/io/task.c:88
    #7 0x7f15823e38e6  (/lib64/libglib-2.0.so.0+0x468e6)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/src/qq/hw/ppc/spapr.c:1528 in htab_save_first_pass

index seems to be wrongly incremented, unless I miss something that
would be worth a comment.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2017-03-29 11:35:02 +11:00
..
9pfs 9pfs: fix file descriptor leak 2017-03-27 21:13:19 +02:00
acpi hw/acpi/vmgenid: prevent more than one vmgenid device 2017-03-22 18:29:27 +02:00
adc STM32F2xx: Add the ADC device 2016-10-04 13:28:07 +01:00
alpha hw: Default -drive to if=ide explicitly where it works 2017-02-21 13:10:53 +01:00
arm bcm2835: add sdhost and gpio controllers 2017-02-28 17:10:00 +00:00
audio es1370: wire up reset via DeviceClass 2017-01-11 09:19:03 +01:00
block xen: do not build backends for targets that do not support xen 2017-03-19 11:12:12 +01:00
bt chardev: qom-ify 2017-01-27 18:08:00 +01:00
char xen: do not build backends for targets that do not support xen 2017-03-19 11:12:12 +01:00
core numa,spapr: align default numa node memory size to 256MB 2017-03-22 11:32:42 +11:00
cpu Introduce DEVICE_CATEGORY_CPU for CPU devices 2017-01-27 18:07:31 +01:00
cris cris: Fix broken header guard in hw/cris/boot.h 2016-07-12 16:20:46 +02:00
display cirrus: fix PUTPIXEL macro 2017-03-27 12:14:45 +02:00
dma dma/rc4030: fix a mixed declarations and code warning 2017-03-20 11:20:35 +00:00
gpio bcm2835_gpio: add bcm2835 gpio controller 2017-02-28 17:10:00 +00:00
i2c arm: Uniquely name imx25 I2C buses. 2017-01-20 11:15:06 +00:00
i386 trace: Avoid abuse of amdvi_mmio_read 2017-03-24 09:21:42 +00:00
ide ide: ahci: call cleanup function in ahci unit 2017-03-15 20:50:14 -04:00
input virtio-input: fix eventq batching 2017-03-27 12:14:45 +02:00
intc Revert "apic: save apic_delivered flag" 2017-03-27 14:41:01 +02:00
ipack ipack: Update e-mail address 2016-05-18 15:04:27 +03:00
ipmi migration: consolidate VMStateField.start 2017-02-13 17:27:13 +00:00
isa Allow ISA bus to be configured out 2017-02-06 12:33:21 +11:00
lm32 char: rename CharDriverState Chardev 2017-01-27 18:07:59 +01:00
m68k hw/m68k: QOMify the ColdFire interrupt controller 2017-02-18 22:23:31 +01:00
mem pc: memhp: enable nvdimm device hotplug 2016-11-01 19:21:09 +02:00
microblaze clean-up: removed duplicate #includes 2016-10-28 18:17:24 +03:00
mips hw/mips: MIPS Boston board support 2017-02-24 10:37:21 +00:00
misc hw/misc/imx6_src: Don't crash trying to reset missing CPUs 2017-03-14 16:13:22 +00:00
moxie hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
net xen: do not build backends for targets that do not support xen 2017-03-19 11:12:12 +01:00
nios2 nios2: iic: Convert CPU prop to qom link 2017-03-18 18:22:54 +00:00
nvram hw/block: Request permissions 2017-02-28 20:40:36 +01:00
openrisc target/openrisc: Rename the cpu from or32 to or1k 2017-02-14 08:14:58 +11:00
pci hw/virtio: fix Link Control Register for PCI Express virtio devices 2017-03-16 01:46:41 +02:00
pci-bridge ppc patch queue 2017-02-02 2017-02-02 18:48:06 +00:00
pci-host ppc patch queue for 2017-02-22 2017-02-24 10:13:57 +00:00
pcmcia hw: Clean up includes 2016-01-29 15:07:25 +00:00
ppc spapr: fix buffer-overflow 2017-03-29 11:35:02 +11:00
s390x s390x/css: reassign subchannel if schid is changed after migration 2017-03-20 09:22:57 +01:00
scsi * MTTCG fix for win32 2017-03-27 17:34:50 +01:00
sd Block layer patches 2017-03-01 23:09:46 +00:00
sh4 hw: Default -drive to if=ide explicitly where it works 2017-02-21 13:10:53 +01:00
smbios stubs: move smbios stubs to hw/smbios 2017-01-16 17:52:35 +01:00
sparc sparc/sparc64: grab BQL before calling cpu_check_irqs 2017-03-09 10:41:38 +00:00
sparc64 sparc/sparc64: grab BQL before calling cpu_check_irqs 2017-03-09 10:41:38 +00:00
ssi aspeed/smc: use a modulo to check segment limits 2017-02-10 17:40:30 +00:00
timer armv7m: Split systick out from NVIC 2017-02-28 16:18:49 +00:00
tpm clean-up: removed duplicate #includes 2016-10-28 18:17:24 +03:00
tricore tricore: remove useless cast 2016-09-15 15:32:22 +03:00
unicore32 clean-up: removed duplicate #includes 2016-10-28 18:17:24 +03:00
usb xen: do not build backends for targets that do not support xen 2017-03-19 11:12:12 +01:00
vfio vfio/pci-quirks.c: Disable stolen memory for igd VFIO 2017-02-22 13:19:59 -07:00
virtio virtio: always use handle_aio_output if registered 2017-03-22 17:56:00 +02:00
watchdog wdt: Add Aspeed watchdog device model 2017-02-07 18:29:59 +00:00
xen xen: do not build backends for targets that do not support xen 2017-03-19 11:12:12 +01:00
xenpv xenpv: Fix qemu_uuid compiling error 2016-09-29 11:43:17 +08:00
xtensa target/xtensa: xtfpga: load DTB only when FDT support is enabled 2017-03-11 14:59:03 -08:00
Makefile.objs acpi: filter based on CONFIG_ACPI_X86 rather than TARGET 2017-01-16 17:52:35 +01:00