From nobody Sat Nov 15 22:26:33 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=git.sr.ht Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1745957730349548.517089699798; Tue, 29 Apr 2025 13:15:30 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u9rLP-0000W0-Kg; Tue, 29 Apr 2025 16:14:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u9rLI-0000U1-JZ for qemu-devel@nongnu.org; Tue, 29 Apr 2025 16:14:14 -0400 Received: from mail-a.sr.ht ([46.23.81.152]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u9rLF-0001HP-26 for qemu-devel@nongnu.org; Tue, 29 Apr 2025 16:14:12 -0400 Received: from git.sr.ht (unknown [46.23.81.155]) by mail-a.sr.ht (Postfix) with ESMTPSA id 4964721568; Tue, 29 Apr 2025 20:14:03 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=ZwKTKwPjWlWVZatu7IE1KQEKahaTMt2yAH0BvmABkgM=; c=simple/simple; d=git.sr.ht; h=From:Date:Subject:Reply-to:In-Reply-To:To:Cc; q=dns/txt; s=20240113; t=1745957643; v=1; b=T0gtyCy812WehqHghiUYvvTFrEDC09HwewDFgif6KKU2mu51WSViUeNMryGN23NZXvh01l2h 2cXUMVmoAkxjH364nWGjA9n7fisfmVcaHr0BcWgpN8wwk8dlOmeFixlhC2zjwTsGHhxTS7dZk/1 bbONc5mPnan2xlVMl5ty421CkQxc4WXgLGkdUWHOABeGcJrwHgWQV3aOOsDJFsODBGGzs5mQsuP OMhMBfZmM3aDKmKLsXVw139C1MtFhabgI6wL6tXQQjvhPbFEMtRqfMSEOFupT3LUKG83/yzpqsA WL7jcJsB7kJZjnttxImKzGF8YZywGRAJwJtJwET7m/Bnw== From: ~percival_foss Date: Tue, 29 Apr 2025 12:03:53 -0400 Subject: [PATCH qemu v2 1/2] accel/tcg: Fixed cross-page overflow for 32 bit guest Message-ID: <174595764300.3422.13156465553505851834-1@git.sr.ht> X-Mailer: git.sr.ht In-Reply-To: <174595764300.3422.13156465553505851834-0@git.sr.ht> To: qemu-devel Cc: Richard Henderson , Paolo Bonzini Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=46.23.81.152; envelope-from=outgoing@sr.ht; helo=mail-a.sr.ht X-Spam_score_int: 0 X-Spam_score: -0.1 X-Spam_bar: / X-Spam_report: (-0.1 / 5.0 requ) BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ~percival_foss Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1745957731085019100 From: Percival Foss The bug being resolved is that the current code in mmu_lookup() assumes a valid 64-bit address space. If a guest has a 32-bit address space, a page translation that crosses beyond the last page in the address space will overflow out of the allocated guest virtual memory space in the QEMU application and cause it to crash. In this case the first page will be the last of the 32-bit address space (for example 0xFFFFF000 for 4K page sizes) and the second page will overflow to a page beyond the 32-bit address space (0x100000000 in the very same example). An invalid translation will be added to the cpu translation table from the second page. Thought the translation will be for page address 0x100000000, checks in other parts of the codebase actually enforce using only 32 bits, and will match this translation. Part of the stored translation is the effective address, and another part is the addend to be used to offset into the QEMU process's virtual memory space. The addend will incorporate the 0x100000000 and offset into likely invalid virtual address space. The fix in the diff checks if the target is 32 bits and wraps the second page address to the beginning of the memory space. Signed off by: Percival Engineering --- accel/tcg/cputlb.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index fb22048876..457b3f8ec7 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -1767,6 +1767,13 @@ static bool mmu_lookup(CPUState *cpu, vaddr addr, Me= mOpIdx oi, l->page[1].size =3D l->page[0].size - size0; l->page[0].size =3D size0; =20 + /* check for wrapping address space on page crossing if target is = 32 bit */ + #if TARGET_LONG_BITS =3D=3D 32 + if (l->page[1].addr >=3D (1UL << TARGET_LONG_BITS)) { + l->page[1].addr %=3D (1UL << TARGET_LONG_BITS); + } + # endif + /* * Lookup both pages, recognizing exceptions from either. If the * second lookup potentially resized, refresh first CPUTLBEntryFul= l. --=20 2.45.3 From nobody Sat Nov 15 22:26:33 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=git.sr.ht Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1745957721036692.3554852813741; Tue, 29 Apr 2025 13:15:21 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u9rLX-0000Zm-1M; Tue, 29 Apr 2025 16:14:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u9rLK-0000UV-FW for qemu-devel@nongnu.org; Tue, 29 Apr 2025 16:14:15 -0400 Received: from mail-a.sr.ht ([46.23.81.152]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u9rLF-0001HU-2E for qemu-devel@nongnu.org; Tue, 29 Apr 2025 16:14:12 -0400 Received: from git.sr.ht (unknown [46.23.81.155]) by mail-a.sr.ht (Postfix) with ESMTPSA id 61FAC21569; Tue, 29 Apr 2025 20:14:03 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=zkSu4yIS7+YQyZiHy8m5iK9pPqaKovZJQ0CeGa5pW1k=; c=simple/simple; d=git.sr.ht; h=From:Date:Subject:Reply-to:In-Reply-To:To:Cc; q=dns/txt; s=20240113; t=1745957643; v=1; b=e9bBj4LLp6QVvxoa2FO+EH64ujJfulS3flz7WZJ47nOUv4J0PiNaSl28d1UlTQqQEnvydgxN vAVrsVXkMLkrOzVWiNXKUJCABUvqVsVFkh0vDXt5K/h18sefb0mu367dbcjZr5b6+wsTkzs7ZzD zRF2K5RjOfcQYVUyNIWp3AuaFfcp9v4/fqF+/h9+mOynxd/1wWMblvI+2qbEbWI4jh1cGQC768G pKYKS/aBA3SBA2YpqkumwJKN53/W6ZirsqIAQC0qZy4DpgvKUbZk6F160RLPTBTK7Isliv6XljG CfgbNxQBiTaZ4Sp/P3bh27wR3oyDSh16C+LsyD2CXn+Yg== From: ~percival_foss Date: Tue, 29 Apr 2025 12:12:10 -0400 Subject: [PATCH qemu v2 2/2] tests/functional: Added cross page overflow test Message-ID: <174595764300.3422.13156465553505851834-2@git.sr.ht> X-Mailer: git.sr.ht In-Reply-To: <174595764300.3422.13156465553505851834-0@git.sr.ht> To: qemu-devel Cc: Richard Henderson , Paolo Bonzini Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=46.23.81.152; envelope-from=outgoing@sr.ht; helo=mail-a.sr.ht X-Spam_score_int: 0 X-Spam_score: -0.0 X-Spam_bar: / X-Spam_report: (-0.0 / 5.0 requ) BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_SBL_A=0.1 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ~percival_foss Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1745957724822019100 From: Percival Foss This test utilizes pegasos2 to show the cross page overflow bug on 32 bit s= ystems. We patch the firmware image to cause the overflow. The instructions to do this are as follows: li r3, 0 li r4, -1 lwz r5, 0x0(r4) lwz r5, 0x0(r3) This test will add an invalid translation when ran and then crash QEMU. If = the fix is applied then pegasos2 will start properly and not crash. Signed off by:Percival Engineering --- tests/functional/meson.build | 1 + tests/functional/test_ppc_pegasos2.py | 69 +++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100755 tests/functional/test_ppc_pegasos2.py diff --git a/tests/functional/meson.build b/tests/functional/meson.build index 0f8be30fe2..6641b878c3 100644 --- a/tests/functional/meson.build +++ b/tests/functional/meson.build @@ -213,6 +213,7 @@ tests_ppc_system_thorough =3D [ 'ppc_bamboo', 'ppc_mac', 'ppc_mpc8544ds', + 'ppc_pegasos2', 'ppc_replay', 'ppc_sam460ex', 'ppc_tuxrun', diff --git a/tests/functional/test_ppc_pegasos2.py b/tests/functional/test_= ppc_pegasos2.py new file mode 100755 index 0000000000..ef76745068 --- /dev/null +++ b/tests/functional/test_ppc_pegasos2.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python3 +# +# Test AmigaNG boards +# +# Copyright (c) 2023 BALATON Zoltan +# +# This work is licensed under the terms of the GNU GPL, version 2 or +# later. See the COPYING file in the top-level directory. + +import subprocess + +from qemu_test import QemuSystemTest, Asset +from qemu_test import wait_for_console_pattern +from zipfile import ZipFile + +class Pegasos2Machine(QemuSystemTest): + + timeout =3D 90 + + ASSET_IMAGE =3D Asset( + ('https://web.archive.org/web/20071021223056if_/http://www.bplan-g= mbh.de/up050404/up050404'), + '0b4ff042b293033e094b47ac7051824fc45f83adb340d455a17db1674b0150b0c= 60ffc624ac766f5369cd79f0447214d468baa182c1f18c5e04cd23a50f0b9a2') + + def test_ppc_pegasos2(self): + self.require_accelerator("tcg") + self.set_machine('pegasos2') + file_path =3D self.ASSET_IMAGE.fetch() + bios_fh =3D open(self.workdir + "/pegasos2.rom", "wb") + subprocess.run(['tail', '-c','+85581', file_path], stdout=3Dbios_f= h) + bios_fh.close() + subprocess.run(['truncate', '-s', '524288', self.workdir + "/pegas= os2.rom"], ) + + self.vm.set_console() + self.vm.add_args('-bios', self.workdir + '/pegasos2.rom') + self.vm.launch() + wait_for_console_pattern(self, 'SmartFirmware:') + + def test_ppc_pegasos2_test_tcg_crosspage_overflow_bug(self): + self.require_accelerator("tcg") + self.set_machine('pegasos2') + file_path =3D self.ASSET_IMAGE.fetch() + bios_fh =3D open(self.workdir + "/pegasos2.rom", "wb") + subprocess.run(['tail', '-c','+85581', file_path], stdout=3Dbios_f= h) + bios_fh.close() + subprocess.run(['truncate', '-s', '524288', self.workdir + "/pegas= os2.rom"], ) + + with open(self.workdir + "/pegasos2.rom", "rb") as bios_fh: + bios_data =3D bios_fh.read() + =20 + # Patch the firmware image with the following instructions that wi= ll cause tcg to crash for 32-bit guests on 64-bit platforms: + # li r3, 0 + # li r4, -1 + # lwz r5, 0x0(r4) + # lwz r5, 0x0(r3) + + bios_data_new =3D bios_data[:0x6c10] + b'\x38\x60\x00\x00' + b'\x3= 8\x80\xff\xff' + b'\x80\xa4\x00\x00' + b'\x80\xa3\x00\x00' + bios_data[0x6c= 20:] + with open(self.workdir + "/pegasos2_new.rom", "wb") as bios_new_fh: + bios_new_fh.write(bios_data_new) + + self.vm.set_console() + self.vm.add_args('-bios', self.workdir + '/pegasos2_new.rom') + self.vm.launch() + wait_for_console_pattern(self, 'Releasing IDE reset') + + # set $pc =3D 0 and expect crash + + +if __name__ =3D=3D '__main__': + QemuSystemTest.main() --=20 2.45.3