rpms / qemu

Clone
Source Code
GIT

af7430 acpi: fix QEMU crash when started with SLIC table (RHBZ#2072303)

Authored and Committed by rjones@redhat.com 2 years ago
raw patch tree parent
2 files changed. 98 lines added. 1 lines removed.
0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch
file added
+90
qemu.spec
file modified
+8 -1 
    acpi: fix QEMU crash when started with SLIC table (RHBZ#2072303)
file added
+90
0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch ADDED
@@ -0,0 +1,90 @@
1
+ From 8cdb99af45365727ac17f45239a9b8c1d5155c6d Mon Sep 17 00:00:00 2001
2
+ From: Igor Mammedov <imammedo@redhat.com>
3
+ Date: Mon, 27 Dec 2021 14:31:17 -0500
4
+ Subject: [PATCH] acpi: fix QEMU crash when started with SLIC table
5
+ MIME-Version: 1.0
6
+ Content-Type: text/plain; charset=UTF-8
7
+ Content-Transfer-Encoding: 8bit
8
+
9
+ if QEMU is started with used provided SLIC table blob,
10
+
11
+ -acpitable sig=SLIC,oem_id='CRASH ',oem_table_id="ME",oem_rev=00002210,asl_compiler_id="",asl_compiler_rev=00000000,data=/dev/null
12
+ it will assert with:
13
+
14
+ hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen)
15
+
16
+ and following backtrace:
17
+
18
+ ...
19
+ build_append_padded_str (array=0x555556afe320, str=0x555556afdb2e "CRASH ME", maxlen=0x6, pad=0x20) at hw/acpi/aml-build.c:61
20
+ acpi_table_begin (desc=0x7fffffffd1b0, array=0x555556afe320) at hw/acpi/aml-build.c:1727
21
+ build_fadt (tbl=0x555556afe320, linker=0x555557ca3830, f=0x7fffffffd318, oem_id=0x555556afdb2e "CRASH ME", oem_table_id=0x555556afdb34 "ME") at hw/acpi/aml-build.c:2064
22
+ ...
23
+
24
+ which happens due to acpi_table_begin() expecting NULL terminated
25
+ oem_id and oem_table_id strings, which is normally the case, but
26
+ in case of user provided SLIC table, oem_id points to table's blob
27
+ directly and as result oem_id became longer than expected.
28
+
29
+ Fix issue by handling oem_id consistently and make acpi_get_slic_oem()
30
+ return NULL terminated strings.
31
+
32
+ PS:
33
+ After [1] refactoring, oem_id semantics became inconsistent, where
34
+ NULL terminated string was coming from machine and old way pointer
35
+ into byte array coming from -acpitable option. That used to work
36
+ since build_header() wasn't expecting NULL terminated string and
37
+ blindly copied the 1st 6 bytes only.
38
+
39
+ However commit [2] broke that by replacing build_header() with
40
+ acpi_table_begin(), which was expecting NULL terminated string
41
+ and was checking oem_id size.
42
+
43
+ 1) 602b45820 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
44
+ 2)
45
+ Fixes: 4b56e1e4eb08 ("acpi: build_fadt: use acpi_table_begin()/acpi_table_end() instead of build_header()")
46
+ Resolves: https://gitlab.com/qemu-project/qemu/-/issues/786
47
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
48
+ Message-Id: <20211227193120.1084176-2-imammedo@redhat.com>
49
+ Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
50
+ Tested-by: Denis Lisov <dennis.lissov@gmail.com>
51
+ Tested-by: Alexander Tsoy <alexander@tsoy.me>
52
+ Cc: qemu-stable@nongnu.org
53
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
54
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
55
+ ---
56
+ hw/acpi/core.c | 4 ++--
57
+ hw/i386/acpi-build.c | 2 ++
58
+ 2 files changed, 4 insertions(+), 2 deletions(-)
59
+
60
+ diff --git a/hw/acpi/core.c b/hw/acpi/core.c
61
+ index 1e004d0078..3e811bf03c 100644
62
+ --- a/hw/acpi/core.c
63
+ +++ b/hw/acpi/core.c
64
+ @@ -345,8 +345,8 @@ int acpi_get_slic_oem(AcpiSlicOem *oem)
65
+ struct acpi_table_header *hdr = (void *)(u - sizeof(hdr->_length));
66
+
67
+ if (memcmp(hdr->sig, "SLIC", 4) == 0) {
68
+ - oem->id = hdr->oem_id;
69
+ - oem->table_id = hdr->oem_table_id;
70
+ + oem->id = g_strndup(hdr->oem_id, 6);
71
+ + oem->table_id = g_strndup(hdr->oem_table_id, 8);
72
+ return 0;
73
+ }
74
+ }
75
+ diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
76
+ index 8383b83ee3..0234fe7588 100644
77
+ --- a/hw/i386/acpi-build.c
78
+ +++ b/hw/i386/acpi-build.c
79
+ @@ -2723,6 +2723,8 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine)
80
+
81
+ /* Cleanup memory that's no longer used. */
82
+ g_array_free(table_offsets, true);
83
+ + g_free(slic_oem.id);
84
+ + g_free(slic_oem.table_id);
85
+ }
86
+
87
+ static void acpi_ram_update(MemoryRegion *mr, GArray *data)
88
+ --
89
+ 2.35.1
90
+
file modified
+8 -1
qemu.spec CHANGED
@@ -302,7 +302,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release}
302
302
%endif
303
303
304
304
# To prevent rpmdev-bumpspec breakage
305
- %global baserelease 7
305
+ %global baserelease 8
306
306
307
307
Summary: QEMU is a FAST! processor emulator
308
308
Name: qemu
@@ -336,6 +336,10 @@ Patch0002: 0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch
336
336
Patch0003: 0001-tools-virtiofsd-Add-rseq-syscall-to-the-seccomp-allo.patch
337
337
Patch0004: 0002-virtiofsd-Do-not-support-blocking-flock.patch
338
338
339
+ # acpi: fix QEMU crash when started with SLIC table
340
+ # https://bugzilla.redhat.com/show_bug.cgi?id=2072303
341
+ Patch0005: 0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch
342
+
339
343
BuildRequires: meson >= %{meson_version}
340
344
BuildRequires: zlib-devel
341
345
BuildRequires: glib2-devel
@@ -2301,6 +2305,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
2301
2305
2302
2306
2303
2307
%changelog
2308
+ * Wed Apr 06 2022 Richard W.M. Jones <rjones@redhat.com> - 2:6.2.0-8
2309
+ - acpi: fix QEMU crash when started with SLIC table (RHBZ#2072303)
2310
+
2304
2311
* Fri Apr 01 2022 Neal Gompa <ngompa@fedoraproject.org> - 2:6.2.0-7
2305
2312
- Backport virtiofsd changes to fix crashes on F36+
2306
2313
Resolves: rhbz#2070066

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation