From af7430aef5968e87b196f0bf5fe200fd1e941f75 Mon Sep 17 00:00:00 2001 From: Richard W.M. Jones Date: Apr 06 2022 08:52:10 +0000 Subject: acpi: fix QEMU crash when started with SLIC table (RHBZ#2072303) --- diff --git a/0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch b/0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch new file mode 100644 index 0000000..c7e2852 --- /dev/null +++ b/0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch @@ -0,0 +1,90 @@ +From 8cdb99af45365727ac17f45239a9b8c1d5155c6d Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Mon, 27 Dec 2021 14:31:17 -0500 +Subject: [PATCH] acpi: fix QEMU crash when started with SLIC table +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +if QEMU is started with used provided SLIC table blob, + + -acpitable sig=SLIC,oem_id='CRASH ',oem_table_id="ME",oem_rev=00002210,asl_compiler_id="",asl_compiler_rev=00000000,data=/dev/null +it will assert with: + + hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen) + +and following backtrace: + + ... + build_append_padded_str (array=0x555556afe320, str=0x555556afdb2e "CRASH ME", maxlen=0x6, pad=0x20) at hw/acpi/aml-build.c:61 + acpi_table_begin (desc=0x7fffffffd1b0, array=0x555556afe320) at hw/acpi/aml-build.c:1727 + build_fadt (tbl=0x555556afe320, linker=0x555557ca3830, f=0x7fffffffd318, oem_id=0x555556afdb2e "CRASH ME", oem_table_id=0x555556afdb34 "ME") at hw/acpi/aml-build.c:2064 + ... + +which happens due to acpi_table_begin() expecting NULL terminated +oem_id and oem_table_id strings, which is normally the case, but +in case of user provided SLIC table, oem_id points to table's blob +directly and as result oem_id became longer than expected. + +Fix issue by handling oem_id consistently and make acpi_get_slic_oem() +return NULL terminated strings. + +PS: +After [1] refactoring, oem_id semantics became inconsistent, where +NULL terminated string was coming from machine and old way pointer +into byte array coming from -acpitable option. That used to work +since build_header() wasn't expecting NULL terminated string and +blindly copied the 1st 6 bytes only. + +However commit [2] broke that by replacing build_header() with +acpi_table_begin(), which was expecting NULL terminated string +and was checking oem_id size. + +1) 602b45820 ("acpi: Permit OEM ID and OEM table ID fields to be changed") +2) +Fixes: 4b56e1e4eb08 ("acpi: build_fadt: use acpi_table_begin()/acpi_table_end() instead of build_header()") +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/786 +Signed-off-by: Igor Mammedov +Message-Id: <20211227193120.1084176-2-imammedo@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Denis Lisov +Tested-by: Alexander Tsoy +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + hw/acpi/core.c | 4 ++-- + hw/i386/acpi-build.c | 2 ++ + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/acpi/core.c b/hw/acpi/core.c +index 1e004d0078..3e811bf03c 100644 +--- a/hw/acpi/core.c ++++ b/hw/acpi/core.c +@@ -345,8 +345,8 @@ int acpi_get_slic_oem(AcpiSlicOem *oem) + struct acpi_table_header *hdr = (void *)(u - sizeof(hdr->_length)); + + if (memcmp(hdr->sig, "SLIC", 4) == 0) { +- oem->id = hdr->oem_id; +- oem->table_id = hdr->oem_table_id; ++ oem->id = g_strndup(hdr->oem_id, 6); ++ oem->table_id = g_strndup(hdr->oem_table_id, 8); + return 0; + } + } +diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c +index 8383b83ee3..0234fe7588 100644 +--- a/hw/i386/acpi-build.c ++++ b/hw/i386/acpi-build.c +@@ -2723,6 +2723,8 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine) + + /* Cleanup memory that's no longer used. */ + g_array_free(table_offsets, true); ++ g_free(slic_oem.id); ++ g_free(slic_oem.table_id); + } + + static void acpi_ram_update(MemoryRegion *mr, GArray *data) +-- +2.35.1 + diff --git a/qemu.spec b/qemu.spec index ce84343..f922d0d 100644 --- a/qemu.spec +++ b/qemu.spec @@ -302,7 +302,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release} %endif # To prevent rpmdev-bumpspec breakage -%global baserelease 7 +%global baserelease 8 Summary: QEMU is a FAST! processor emulator Name: qemu @@ -336,6 +336,10 @@ Patch0002: 0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch Patch0003: 0001-tools-virtiofsd-Add-rseq-syscall-to-the-seccomp-allo.patch Patch0004: 0002-virtiofsd-Do-not-support-blocking-flock.patch +# acpi: fix QEMU crash when started with SLIC table +# https://bugzilla.redhat.com/show_bug.cgi?id=2072303 +Patch0005: 0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch + BuildRequires: meson >= %{meson_version} BuildRequires: zlib-devel BuildRequires: glib2-devel @@ -2301,6 +2305,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Wed Apr 06 2022 Richard W.M. Jones - 2:6.2.0-8 +- acpi: fix QEMU crash when started with SLIC table (RHBZ#2072303) + * Fri Apr 01 2022 Neal Gompa - 2:6.2.0-7 - Backport virtiofsd changes to fix crashes on F36+ Resolves: rhbz#2070066