Skip to content
This repository has been archived by the owner on Apr 13, 2019. It is now read-only.

qemu-user crash when mincore called with invalid pointer #158

Open
michaeljclark opened this issue Aug 3, 2018 · 0 comments
Open

qemu-user crash when mincore called with invalid pointer #158

michaeljclark opened this issue Aug 3, 2018 · 0 comments
Assignees
@michaeljclark

Comments

@michaeljclark
Copy link
Collaborator

Refer https://bugs.launchpad.net/qemu/+bug/1785203

Public bug reported:

qemu-riscv64 version 2.12.93 crashes when mincore() is called with
invalid pointer with the following message:

qemu-riscv64: /opt/qemu/accel/tcg/translate-all.c:2511: page_check_range: Assertion `start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)' failed.
qemu:handle_cpu_signal received signal outside vCPU context @ pc=0x600014ef

Testcase:

#include <sys/mman.h>

int main (void)
{
  unsigned char v;
  return mincore ((void *) 0x00000010000000000, 1, &v);
}

Backtrace:

#0  raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x000000006000140a in abort () at abort.c:79
#2  0x00000000600012ec in __assert_fail_base (
    fmt=0x6024eae8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=0x601b9758 "start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)", 
    file=0x601b9658 "/opt/qemu/accel/tcg/translate-all.c", line=2511, 
    function=0x601b9810 <__PRETTY_FUNCTION__.23867> "page_check_range") at assert.c:92
#3  0x000000006010e10e in __assert_fail (
    assertion=assertion@entry=0x601b9758 "start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)", file=file@entry=0x601b9658 "/opt/qemu/accel/tcg/translate-all.c", line=line@entry=2511, 
    function=function@entry=0x601b9810 <__PRETTY_FUNCTION__.23867> "page_check_range")
    at assert.c:101
#4  0x000000006003e916 in page_check_range (start=start@entry=1099511627776, len=len@entry=1, 
    flags=flags@entry=1) at /opt/qemu/accel/tcg/translate-all.c:2511
#5  0x0000000060057717 in access_ok (size=1, addr=1099511627776, type=0)
    at /opt/qemu/linux-user/qemu.h:567
#6  lock_user (copy=0, len=1, guest_addr=1099511627776, type=0)
    at /opt/qemu/linux-user/qemu.h:567
#7  do_syscall (cpu_env=cpu_env@entry=0x622fca28, num=232, arg1=1099511627776, arg2=1, 
    arg3=274886298751, arg4=0, arg5=274886298808, arg6=66518, arg7=0, arg8=0)
    at /opt/qemu/linux-user/syscall.c:11635
#8  0x0000000060066c5c in cpu_loop (env=env@entry=0x622fca28)
    at /opt/qemu/linux-user/riscv/cpu_loop.c:55
#9  0x0000000060002156 in main (argc=<optimized out>, argv=0x7fffffffed68, 
    envp=<optimized out>) at /opt/qemu/linux-user/main.c:819

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1785203

Title:
  accel/tcg/translate-all.c:2511: page_check_range: Assertion `start <
  ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)' failed.

Status in QEMU:
  New

Bug description:
  qemu-riscv64 version 2.12.93 crashes when mincore() is called with
  invalid pointer with the following message:

  qemu-riscv64: /opt/qemu/accel/tcg/translate-all.c:2511: page_check_range: Assertion `start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)' failed.
  qemu:handle_cpu_signal received signal outside vCPU context @ pc=0x600014ef

  Testcase:

  #include <sys/mman.h>

  int main (void)
  {
    unsigned char v;
    return mincore ((void *) 0x00000010000000000, 1, &v);
  }

  Backtrace:

  #0  raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
  #1  0x000000006000140a in abort () at abort.c:79
  #2  0x00000000600012ec in __assert_fail_base (
      fmt=0x6024eae8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
      assertion=0x601b9758 "start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)", 
      file=0x601b9658 "/opt/qemu/accel/tcg/translate-all.c", line=2511, 
      function=0x601b9810 <__PRETTY_FUNCTION__.23867> "page_check_range") at assert.c:92
  #3  0x000000006010e10e in __assert_fail (
      assertion=assertion@entry=0x601b9758 "start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)", file=file@entry=0x601b9658 "/opt/qemu/accel/tcg/translate-all.c", line=line@entry=2511, 
      function=function@entry=0x601b9810 <__PRETTY_FUNCTION__.23867> "page_check_range")
      at assert.c:101
  #4  0x000000006003e916 in page_check_range (start=start@entry=1099511627776, len=len@entry=1, 
      flags=flags@entry=1) at /opt/qemu/accel/tcg/translate-all.c:2511
  #5  0x0000000060057717 in access_ok (size=1, addr=1099511627776, type=0)
      at /opt/qemu/linux-user/qemu.h:567
  #6  lock_user (copy=0, len=1, guest_addr=1099511627776, type=0)
      at /opt/qemu/linux-user/qemu.h:567
  #7  do_syscall (cpu_env=cpu_env@entry=0x622fca28, num=232, arg1=1099511627776, arg2=1, 
      arg3=274886298751, arg4=0, arg5=274886298808, arg6=66518, arg7=0, arg8=0)
      at /opt/qemu/linux-user/syscall.c:11635
  #8  0x0000000060066c5c in cpu_loop (env=env@entry=0x622fca28)
      at /opt/qemu/linux-user/riscv/cpu_loop.c:55
  #9  0x0000000060002156 in main (argc=<optimized out>, argv=0x7fffffffed68, 
      envp=<optimized out>) at /opt/qemu/linux-user/main.c:819

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1785203/+subscriptions
@michaeljclark michaeljclark self-assigned this Aug 3, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@michaeljclark michaeljclark

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@michaeljclark