Hi Laszlo,
Happy new year!
On 4/1/23 08:04, Laszlo Ersek wrote:
Adding Michael. The thread started here:
https://lists.gnu.org/archive/html/qemu-devel/2023-01/msg00199.html
More below:
On 1/4/23 07:06, Laszlo Ersek wrote:
On 1/3/23 18:42, Laszlo Ersek wrote:
(resending with qemu-devel on CC; sorry!)
Hi,
this is with QEMU-7.2.
This is a regression. It works fine with QEMU-5.0. The regression has
not been fixed since QEMU-7.2, as of master @ 222059a0fccf ("Merge tag
'pull-ppc-20221221' of https://gitlab.com/danielhb/qemu into staging",
2022-12-21).
I'm bisecting.
(It's a relief that this is a regression. I felt pretty certain that I
had tested CPU hotplug with TCG as well!
I've picked QEMU-5.0 as the start candidate for my bisection for the
following reason: per git-blame, Igor described the modern interface
detection steps in commit ae340aa3d2567 (which I reviewed), and the
first tag/release to contain that commit was QEMU-5.0. The first QEMU
release after Igor and I had worked on this in QEMU and OVMF
definitely worked with TCG too, by my account.)
See the bisection log attached.
The first bad commit is:
commit 5d971f9e672507210e77d020d89e0e89165c8fc9
Author: Michael S. Tsirkin <m...@redhat.com>
Date: Wed Jun 10 09:47:49 2020 -0400
memory: Revert "memory: accept mismatching sizes in
memory_region_access_valid"
Good, I was going to point at this commit but you were faster :) This
commit has been problematic (because not all code base was ready):
$ git log 5d971f9e67.. | fgrep 5d971f9e67
This was not an issue until commit 5d971f9e67 which reverted
This is particularly useful since commit 5d971f9e67 which reverted
This was not an issue until commit 5d971f9e67 which reverted
was allowed before commit 5d971f9e67 ("memory: Revert "memory: accept
Fixes: 5d971f9e67 ("memory: Revert "memory: accept mismatching
sizes in memory_region_access_valid"")
Commit 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes
Fixes: 5d971f9e6725 ("memory: Revert "memory: accept mismatching
sizes in memory_region_access_valid")
Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes
in memory_region_access_valid")
5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in
memory_region_access_valid"")
Commit 5d971f9e672507210e77d020d89e0e89165c8fc9
See the later commit dba04c3488:
commit dba04c3488c4699f5afe96f66e448b1d447cf3fb
Author: Michael Tokarev <m...@tls.msk.ru>
Date: Mon Jul 20 19:06:27 2020 +0300
acpi: accept byte and word access to core ACPI registers
All ISA registers should be accessible as bytes, words or dwords
(if wide enough). Fix the access constraints for acpi-pm-evt,
acpi-pm-tmr & acpi-cnt registers.
Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes
in memory_region_access_valid")
Fixes: afafe4bbe0 (apci: switch cnt to memory api)
Fixes: 77d58b1e47 (apci: switch timer to memory api)
Fixes: b5a7c024d2 (apci: switch evt to memory api)
Buglink:
https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.per...@citrix.com/T/
Buglink: https://bugs.debian.org/964793
BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
BugLink: https://bugs.launchpad.net/bugs/1886318
Reported-By: Simon John <g...@the-jedi.co.uk>
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Message-Id: <20200720160627.15491-1-...@msgid.tls.msk.ru>
Cc: qemu-sta...@nongnu.org
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
Memory API documentation documents valid .min_access_size and
.max_access_size
fields and explains that any access outside these boundaries is blocked.
This is what devices seem to assume.
However this is not what the implementation does: it simply
ignores the boundaries unless there's an "accepts" callback.
Naturally, this breaks a bunch of devices.
Revert to the documented behaviour.
Devices that want to allow any access can just drop the valid field,
or add the impl field to have accesses converted to appropriate
length.
Cc: qemu-sta...@nongnu.org
Reviewed-by: Richard Henderson <r...@twiddle.net>
Fixes: CVE-2020-13754
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
Fixes: a014ed07bd5a ("memory: accept mismatching sizes in
memory_region_access_valid")
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
Message-Id: <20200610134731.1514409-1-...@redhat.com>
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
First released in QEMU v5.1.0 and v6.0.0 (exact same commit hash in
both, as v6.0.0 descends of v5.1.0).
Because this is a CVE fix, and also because of the suggestions made in
the commit message, I think the commit is actually right, and what we
need to fix is the hotplug register block -- namely the
"AcpiCpuHotplug_ops" structure in "hw/acpi/cpu_hotplug.c".
Do you see anything running with '-d guest_errors'? (on top of commit
21786c7e59 "softmmu/memory: Log invalid memory accesses", or cherry-pick
it if you are around dba04c3488 "acpi: accept byte and word access to
core ACPI registers").
However, what I *really* don't understand is why this commit
(5d971f9e672507210e77d020d89e0e89165c8fc9) makes a difference *only*
under TCG.
Is it easily reproducible with TCG?
Regards,
Phil.
