mirror of
https://github.com/Motorhead1991/qemu.git
synced 2025-08-02 07:13:54 -06:00
03f990a5e3
When emulating irqchip in qemu, such as following command:
x86_64-softmmu/qemu-system-x86_64 -m 1024 -smp 4 -hda /home/test/test.img
-machine kernel-irqchip=off --enable-kvm -vnc :0 -device edu -monitor stdio
We will get a crash with following asan output:
(qemu) /home/test/qemu5/qemu/hw/intc/ioapic.c:266:27: runtime error: index 35 out of bounds for type 'int [24]'
=================================================================
==113504==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000003114 at pc 0x5579e3c7a80f bp 0x7fd004bf8c10 sp 0x7fd004bf8c00
WRITE of size 4 at 0x61b000003114 thread T4
#0 0x5579e3c7a80e in ioapic_eoi_broadcast /home/test/qemu5/qemu/hw/intc/ioapic.c:266
#1 0x5579e3c6f480 in apic_eoi /home/test/qemu5/qemu/hw/intc/apic.c:428
#2 0x5579e3c720a7 in apic_mem_write /home/test/qemu5/qemu/hw/intc/apic.c:802
#3 0x5579e3b1e31a in memory_region_write_accessor /home/test/qemu5/qemu/memory.c:503
#4 0x5579e3b1e6a2 in access_with_adjusted_size /home/test/qemu5/qemu/memory.c:569
#5 0x5579e3b28d77 in memory_region_dispatch_write /home/test/qemu5/qemu/memory.c:1497
#6 0x5579e3a1b36b in flatview_write_continue /home/test/qemu5/qemu/exec.c:3323
#7 0x5579e3a1b633 in flatview_write /home/test/qemu5/qemu/exec.c:3362
#8 0x5579e3a1bcb1 in address_space_write /home/test/qemu5/qemu/exec.c:3452
#9 0x5579e3a1bd03 in address_space_rw /home/test/qemu5/qemu/exec.c:3463
#10 0x5579e3b8b979 in kvm_cpu_exec /home/test/qemu5/qemu/accel/kvm/kvm-all.c:2045
#11 0x5579e3ae4499 in qemu_kvm_cpu_thread_fn /home/test/qemu5/qemu/cpus.c:1287
#12 0x5579e4cbdb9f in qemu_thread_start util/qemu-thread-posix.c:502
#13 0x7fd0146376da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#14 0x7fd01436088e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e
This is because in ioapic_eoi_broadcast function, we uses 'vector' to
index the 's->irq_eoi'. To fix this, we should uses the irq number.
Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Message-Id: <20190622002119.126834-1-liq3ea@163.com>
|
||
|---|---|---|
| .. | ||
| allwinner-a10-pic.c | ||
| apic.c | ||
| apic_common.c | ||
| arm_gic.c | ||
| arm_gic_common.c | ||
| arm_gic_kvm.c | ||
| arm_gicv2m.c | ||
| arm_gicv3.c | ||
| arm_gicv3_common.c | ||
| arm_gicv3_cpuif.c | ||
| arm_gicv3_dist.c | ||
| arm_gicv3_its_common.c | ||
| arm_gicv3_its_kvm.c | ||
| arm_gicv3_kvm.c | ||
| arm_gicv3_redist.c | ||
| armv7m_nvic.c | ||
| aspeed_vic.c | ||
| bcm2835_ic.c | ||
| bcm2836_control.c | ||
| etraxfs_pic.c | ||
| exynos4210_combiner.c | ||
| exynos4210_gic.c | ||
| gic_internal.h | ||
| gicv3_internal.h | ||
| grlib_irqmp.c | ||
| heathrow_pic.c | ||
| i8259.c | ||
| i8259_common.c | ||
| imx_avic.c | ||
| imx_gpcv2.c | ||
| intc.c | ||
| ioapic.c | ||
| ioapic_common.c | ||
| Kconfig | ||
| lm32_pic.c | ||
| Makefile.objs | ||
| mips_gic.c | ||
| nios2_iic.c | ||
| omap_intc.c | ||
| ompic.c | ||
| openpic.c | ||
| openpic_kvm.c | ||
| pl190.c | ||
| pnv_xive.c | ||
| pnv_xive_regs.h | ||
| puv3_intc.c | ||
| realview_gic.c | ||
| s390_flic.c | ||
| s390_flic_kvm.c | ||
| sh_intc.c | ||
| slavio_intctl.c | ||
| spapr_xive.c | ||
| spapr_xive_kvm.c | ||
| trace-events | ||
| vgic_common.h | ||
| xics.c | ||
| xics_kvm.c | ||
| xics_pnv.c | ||
| xics_spapr.c | ||
| xilinx_intc.c | ||
| xive.c | ||
| xlnx-pmu-iomod-intc.c | ||
| xlnx-zynqmp-ipi.c | ||