The following changes since commit aa9e7fa4689d1becb2faf67f65aafcbcf664f1ce:

Merge tag 'edk2-stable202302-20230320-pull-request' of https://gitlab.com/kraxel/qemu into staging (2023-03-20 13:43:35 +0000)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230321

for you to fetch changes up to 5787d17a42f7af4bd117e5d6bfa54b1fdf93c255:

target/arm: Don't advertise aarch64-pauth.xml to gdb (2023-03-21 13:19:08 +0000)

* contrib/elf2dmp: Support Windows Server 2022

* hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings

* target/arm: Add Neoverse-N1 IMPDEF registers

* hw/usb/imx: Fix out of bounds access in imx_usbphy_read()

* docs/system/arm/cpu-features.rst: Fix formatting

* target/arm: Don't advertise aarch64-pauth.xml to gdb

Chen Baozi (1):

target/arm: Add Neoverse-N1 registers

hw/usb/imx: Fix out of bounds access in imx_usbphy_read()

Peter Maydell (3):

hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings

docs/system/arm/cpu-features.rst: Fix formatting

target/arm: Don't advertise aarch64-pauth.xml to gdb

Viktor Prutyanov (3):

contrib/elf2dmp: fix code style

contrib/elf2dmp: move PE dir search to pe_get_data_dir_entry

contrib/elf2dmp: add PE name check and Windows Server 2022 support

docs/system/arm/cpu-features.rst | 68 ++++++++++-------------

contrib/elf2dmp/pe.h | 115 ++++++++++++++++++++++-----------------

contrib/elf2dmp/addrspace.c | 1 +

contrib/elf2dmp/main.c | 108 ++++++++++++++++++++++++------------

hw/char/cadence_uart.c | 6 +-

hw/usb/imx-usb-phy.c | 19 ++++++-

target/arm/cpu64.c | 69 +++++++++++++++++++++++

target/arm/gdbstub.c | 7 +++

8 files changed, 267 insertions(+), 126 deletions(-)

From: Chen Baozi <chenbaozi@phytium.com.cn>

Add implementation defined registers for neoverse-n1 which

would be accessed by TF-A. Since there is no DSU in Qemu,

CPUCFR_EL1.SCU bit is set to 1 to avoid DSU registers definition.

target/arm/cpu64.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++

1 file changed, 69 insertions(+)

diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c

--- a/target/arm/cpu64.c

+++ b/target/arm/cpu64.c

#include "qemu/osdep.h"

#include "qapi/error.h"

#include "cpu.h"

+#include "cpregs.h"

#include "qemu/module.h"

#include "sysemu/kvm.h"

#include "sysemu/hvf.h"

@@ -XXX,XX +XXX,XX @@ static void aarch64_a64fx_initfn(Object *obj)

/* TODO: Add A64FX specific HPC extension registers */

}

+static const ARMCPRegInfo neoverse_n1_cp_reginfo[] = {

+ { .name = "ATCR_EL1", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 7, .opc2 = 0,

+ .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "ATCR_EL2", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 7, .opc2 = 0,

+ .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "ATCR_EL3", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 7, .opc2 = 0,

+ .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "ATCR_EL12", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 5, .crn = 15, .crm = 7, .opc2 = 0,

+ .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "AVTCR_EL2", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 7, .opc2 = 1,

+ .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "CPUACTLR_EL1", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 0,

+ .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "CPUACTLR2_EL1", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 1,

+ .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "CPUACTLR3_EL1", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 2,

+ .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ /*

+ * Report CPUCFR_EL1.SCU as 1, as we do not implement the DSU

+ * (and in particular its system registers).

+ */

+ { .name = "CPUCFR_EL1", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 0, .opc2 = 0,

+ .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 4 },

+ { .name = "CPUECTLR_EL1", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 4,

+ .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0x961563010 },

+ { .name = "CPUPCR_EL3", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 1,

+ .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "CPUPMR_EL3", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 3,

+ .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "CPUPOR_EL3", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 2,

+ .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "CPUPSELR_EL3", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 0,

+ .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "CPUPWRCTLR_EL1", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 7,

+ .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "ERXPFGCDN_EL1", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 2,

+ .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "ERXPFGCTL_EL1", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 1,

+ .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+ { .name = "ERXPFGF_EL1", .state = ARM_CP_STATE_AA64,

+ .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 0,

+ .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },

+static void define_neoverse_n1_cp_reginfo(ARMCPU *cpu)

+{

+ define_arm_cp_regs(cpu, neoverse_n1_cp_reginfo);

+}

static void aarch64_neoverse_n1_initfn(Object *obj)

ARMCPU *cpu = ARM_CPU(obj);

@@ -XXX,XX +XXX,XX @@ static void aarch64_neoverse_n1_initfn(Object *obj)

/* From D5.1 AArch64 PMU register summary */

cpu->isar.reset_pmcr_el0 = 0x410c3000;

+

+ define_neoverse_n1_cp_reginfo(cpu);

static void aarch64_host_initfn(Object *obj)

2.34.1

The cadence UART attempts to avoid allowing the guest to set invalid

baud rate register values in the uart_write() function. However it

does the "mask to the size of the register field" and "check for

invalid values" in the wrong order, which means that a malicious

guest can get a bogus value into the register by setting also some

high bits in the value, and cause QEMU to crash by division-by-zero.

Do the mask before the bounds check instead of afterwards.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Thomas Huth <thuth@redhat.com>

Reviewed-by: Edgar E. Iglesias <edgar@zeroasic.com>

Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

Tested-by: Qiang Liu <cyruscyliu@gmail.com>

Message-id: 20230314170804.1196232-1-peter.maydell@linaro.org

---

hw/char/cadence_uart.c | 6 ++++--

1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c

--- a/hw/char/cadence_uart.c

+++ b/hw/char/cadence_uart.c

@@ -XXX,XX +XXX,XX @@ static MemTxResult uart_write(void *opaque, hwaddr offset,

case R_BRGR: /* Baud rate generator */

+ value &= 0xffff;

if (value >= 0x01) {

- s->r[offset] = value & 0xFFFF;

+ s->r[offset] = value;

}

case R_BDIV: /* Baud rate divider */

+ value &= 0xff;

if (value >= 0x04) {

- s->r[offset] = value & 0xFF;

+ s->r[offset] = value;

}

break;

default:

2.34.1

From: Viktor Prutyanov <viktor@daynix.com>

Originally elf2dmp were added with some code style issues,

especially in pe.h header, and some were introduced by

2d0fc797faaa73fbc1d30f5f9e90407bf3dd93f0. Fix them now.

Signed-off-by: Viktor Prutyanov <viktor@daynix.com>

Reviewed-by: Annie Li <annie.li@oracle.com>

Message-id: 20230222211246.883679-2-viktor@daynix.com

contrib/elf2dmp/pe.h | 100 ++++++++++++++++++------------------

contrib/elf2dmp/addrspace.c | 1 +

contrib/elf2dmp/main.c | 9 ++--

3 files changed, 57 insertions(+), 53 deletions(-)

diff --git a/contrib/elf2dmp/pe.h b/contrib/elf2dmp/pe.h

--- a/contrib/elf2dmp/pe.h

+++ b/contrib/elf2dmp/pe.h

@@ -XXX,XX +XXX,XX @@ typedef struct IMAGE_DOS_HEADER {

} __attribute__ ((packed)) IMAGE_DOS_HEADER;

typedef struct IMAGE_FILE_HEADER {

- uint16_t Machine;

- uint16_t NumberOfSections;

- uint32_t TimeDateStamp;

- uint32_t PointerToSymbolTable;

- uint32_t NumberOfSymbols;

- uint16_t SizeOfOptionalHeader;

- uint16_t Characteristics;

+ uint16_t Machine;

+ uint16_t NumberOfSections;

+ uint32_t TimeDateStamp;

+ uint32_t PointerToSymbolTable;

+ uint32_t NumberOfSymbols;

+ uint16_t SizeOfOptionalHeader;

+ uint16_t Characteristics;

} __attribute__ ((packed)) IMAGE_FILE_HEADER;

typedef struct IMAGE_DATA_DIRECTORY {

- uint32_t VirtualAddress;

- uint32_t Size;

+ uint32_t VirtualAddress;

+ uint32_t Size;

} __attribute__ ((packed)) IMAGE_DATA_DIRECTORY;

#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16

typedef struct IMAGE_OPTIONAL_HEADER64 {

- uint16_t Magic; /* 0x20b */

- uint8_t MajorLinkerVersion;

- uint8_t MinorLinkerVersion;

- uint32_t SizeOfCode;

- uint32_t SizeOfInitializedData;

- uint32_t SizeOfUninitializedData;

- uint32_t AddressOfEntryPoint;

- uint32_t BaseOfCode;

- uint64_t ImageBase;

- uint32_t SectionAlignment;

- uint32_t FileAlignment;

- uint16_t MajorOperatingSystemVersion;

- uint16_t MinorOperatingSystemVersion;

- uint16_t MajorImageVersion;

- uint16_t MinorImageVersion;

- uint16_t MajorSubsystemVersion;

- uint16_t MinorSubsystemVersion;

- uint32_t Win32VersionValue;

- uint32_t SizeOfImage;

- uint32_t SizeOfHeaders;

- uint32_t CheckSum;

- uint16_t Subsystem;

- uint16_t DllCharacteristics;

- uint64_t SizeOfStackReserve;

- uint64_t SizeOfStackCommit;

- uint64_t SizeOfHeapReserve;

- uint64_t SizeOfHeapCommit;

- uint32_t LoaderFlags;

- uint32_t NumberOfRvaAndSizes;

- IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];

+ uint16_t Magic; /* 0x20b */

+ uint8_t MajorLinkerVersion;

+ uint8_t MinorLinkerVersion;

+ uint32_t SizeOfCode;

+ uint32_t SizeOfInitializedData;

+ uint32_t SizeOfUninitializedData;

+ uint32_t AddressOfEntryPoint;

+ uint32_t BaseOfCode;

+ uint64_t ImageBase;

+ uint32_t SectionAlignment;

+ uint32_t FileAlignment;

+ uint16_t MajorOperatingSystemVersion;

+ uint16_t MinorOperatingSystemVersion;

+ uint16_t MajorImageVersion;

+ uint16_t MinorImageVersion;

+ uint16_t MajorSubsystemVersion;

+ uint16_t MinorSubsystemVersion;

+ uint32_t Win32VersionValue;

+ uint32_t SizeOfImage;

+ uint32_t SizeOfHeaders;

+ uint32_t CheckSum;

+ uint16_t Subsystem;

+ uint16_t DllCharacteristics;

+ uint64_t SizeOfStackReserve;

+ uint64_t SizeOfStackCommit;

+ uint64_t SizeOfHeapReserve;

+ uint64_t SizeOfHeapCommit;

+ uint32_t LoaderFlags;

+ uint32_t NumberOfRvaAndSizes;

+ IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];

} __attribute__ ((packed)) IMAGE_OPTIONAL_HEADER64;

typedef struct IMAGE_NT_HEADERS64 {

- uint32_t Signature;

- IMAGE_FILE_HEADER FileHeader;

- IMAGE_OPTIONAL_HEADER64 OptionalHeader;

+ uint32_t Signature;

+ IMAGE_FILE_HEADER FileHeader;

+ IMAGE_OPTIONAL_HEADER64 OptionalHeader;

} __attribute__ ((packed)) IMAGE_NT_HEADERS64;

typedef struct IMAGE_DEBUG_DIRECTORY {

- uint32_t Characteristics;

- uint32_t TimeDateStamp;

- uint16_t MajorVersion;

- uint16_t MinorVersion;

- uint32_t Type;

- uint32_t SizeOfData;

- uint32_t AddressOfRawData;

- uint32_t PointerToRawData;

+ uint32_t Characteristics;

+ uint32_t TimeDateStamp;

+ uint16_t MajorVersion;

+ uint16_t MinorVersion;

+ uint32_t Type;

+ uint32_t SizeOfData;

+ uint32_t AddressOfRawData;

+ uint32_t PointerToRawData;

} __attribute__ ((packed)) IMAGE_DEBUG_DIRECTORY;

#define IMAGE_DEBUG_TYPE_CODEVIEW 2

diff --git a/contrib/elf2dmp/addrspace.c b/contrib/elf2dmp/addrspace.c

index XXXXXXX..XXXXXXX 100644

--- a/contrib/elf2dmp/addrspace.c

+++ b/contrib/elf2dmp/addrspace.c

@@ -XXX,XX +XXX,XX @@

static struct pa_block *pa_space_find_block(struct pa_space *ps, uint64_t pa)

size_t i;

+

for (i = 0; i < ps->block_nr; i++) {

if (ps->block[i].paddr <= pa &&

pa <= ps->block[i].paddr + ps->block[i].size) {

diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c

index XXXXXXX..XXXXXXX 100644

--- a/contrib/elf2dmp/main.c

+++ b/contrib/elf2dmp/main.c

@@ -XXX,XX +XXX,XX @@ static int fill_header(WinDumpHeader64 *hdr, struct pa_space *ps,

};

for (i = 0; i < ps->block_nr; i++) {

- h.PhysicalMemoryBlock.NumberOfPages += ps->block[i].size / ELF2DMP_PAGE_SIZE;

+ h.PhysicalMemoryBlock.NumberOfPages +=

+ ps->block[i].size / ELF2DMP_PAGE_SIZE;

h.PhysicalMemoryBlock.Run[i] = (WinDumpPhyMemRun64) {

.BasePage = ps->block[i].paddr / ELF2DMP_PAGE_SIZE,

.PageCount = ps->block[i].size / ELF2DMP_PAGE_SIZE,

};

}

- h.RequiredDumpSpace += h.PhysicalMemoryBlock.NumberOfPages << ELF2DMP_PAGE_BITS;

+ h.RequiredDumpSpace +=

+ h.PhysicalMemoryBlock.NumberOfPages << ELF2DMP_PAGE_BITS;

*hdr = h;

@@ -XXX,XX +XXX,XX @@ static int fill_header(WinDumpHeader64 *hdr, struct pa_space *ps,

static int fill_context(KDDEBUGGER_DATA64 *kdbg,

struct va_space *vs, QEMU_Elf *qe)

{

- int i;

+ int i;

+

for (i = 0; i < qe->state_nr; i++) {

uint64_t Prcb;

uint64_t Context;

2.34.1

From: Viktor Prutyanov <viktor@daynix.com>

contrib/elf2dmp/main.c | 71 +++++++++++++++++++++++++-----------------

1 file changed, 42 insertions(+), 29 deletions(-)

diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c

--- a/contrib/elf2dmp/main.c

+++ b/contrib/elf2dmp/main.c

@@ -XXX,XX +XXX,XX @@ static int fill_context(KDDEBUGGER_DATA64 *kdbg,

return 0;

+static int pe_get_data_dir_entry(uint64_t base, void *start_addr, int idx,

+ void *entry, size_t size, struct va_space *vs)

+ const char e_magic[2] = "MZ";

+ const char Signature[4] = "PE\0\0";

+ IMAGE_DOS_HEADER *dos_hdr = start_addr;

+ IMAGE_NT_HEADERS64 nt_hdrs;

+ IMAGE_FILE_HEADER *file_hdr = &nt_hdrs.FileHeader;

+ IMAGE_OPTIONAL_HEADER64 *opt_hdr = &nt_hdrs.OptionalHeader;

+ IMAGE_DATA_DIRECTORY *data_dir = nt_hdrs.OptionalHeader.DataDirectory;

+ QEMU_BUILD_BUG_ON(sizeof(*dos_hdr) >= ELF2DMP_PAGE_SIZE);

+ if (memcmp(&dos_hdr->e_magic, e_magic, sizeof(e_magic))) {

+ return 1;

+ }

+

+ if (va_space_rw(vs, base + dos_hdr->e_lfanew,

+ &nt_hdrs, sizeof(nt_hdrs), 0)) {

+ return 1;

+ }

+

+ if (memcmp(&nt_hdrs.Signature, Signature, sizeof(Signature)) ||

+ file_hdr->Machine != 0x8664 || opt_hdr->Magic != 0x020b) {

+ return 1;

+ }

+

+ if (va_space_rw(vs,

+ base + data_dir[idx].VirtualAddress,

+ entry, size, 0)) {

+ return 1;

+ }

+

+ printf("Data directory entry #%d: RVA = 0x%08"PRIx32"\n", idx,

+ (uint32_t)data_dir[idx].VirtualAddress);

+

+ return 0;

static int write_dump(struct pa_space *ps,

WinDumpHeader64 *hdr, const char *name)

@@ -XXX,XX +XXX,XX @@ static int write_dump(struct pa_space *ps,

static int pe_get_pdb_symstore_hash(uint64_t base, void *start_addr,

char *hash, struct va_space *vs)

{

- const char e_magic[2] = "MZ";

- const char Signature[4] = "PE\0\0";

const char sign_rsds[4] = "RSDS";

- IMAGE_DOS_HEADER *dos_hdr = start_addr;

- IMAGE_NT_HEADERS64 nt_hdrs;

- IMAGE_FILE_HEADER *file_hdr = &nt_hdrs.FileHeader;

- IMAGE_OPTIONAL_HEADER64 *opt_hdr = &nt_hdrs.OptionalHeader;

- IMAGE_DATA_DIRECTORY *data_dir = nt_hdrs.OptionalHeader.DataDirectory;

IMAGE_DEBUG_DIRECTORY debug_dir;

OMFSignatureRSDS rsds;

char *pdb_name;

size_t pdb_name_sz;

size_t i;

- QEMU_BUILD_BUG_ON(sizeof(*dos_hdr) >= ELF2DMP_PAGE_SIZE);

-

- if (memcmp(&dos_hdr->e_magic, e_magic, sizeof(e_magic))) {

- return 1;

- }

-

- if (va_space_rw(vs, base + dos_hdr->e_lfanew,

- &nt_hdrs, sizeof(nt_hdrs), 0)) {

- return 1;

- }

-

- if (memcmp(&nt_hdrs.Signature, Signature, sizeof(Signature)) ||

- file_hdr->Machine != 0x8664 || opt_hdr->Magic != 0x020b) {

- return 1;

- }

-

- printf("Debug Directory RVA = 0x%08"PRIx32"\n",

- (uint32_t)data_dir[IMAGE_FILE_DEBUG_DIRECTORY].VirtualAddress);

-

- if (va_space_rw(vs,

- base + data_dir[IMAGE_FILE_DEBUG_DIRECTORY].VirtualAddress,

- &debug_dir, sizeof(debug_dir), 0)) {

+ if (pe_get_data_dir_entry(base, start_addr, IMAGE_FILE_DEBUG_DIRECTORY,

+ &debug_dir, sizeof(debug_dir), vs)) {

+ eprintf("Failed to get Debug Directory\n");

return 1;

2.34.1

From: Viktor Prutyanov <viktor@daynix.com>

Since its inception elf2dmp has checked MZ signatures within an

address space above IDT[0] interrupt vector and took first PE image

found as Windows Kernel.

But in Windows Server 2022 memory dump this address space range is

full of invalid PE fragments and the tool must check that PE image

is 'ntoskrnl.exe' actually.

So, introduce additional validation by checking image name from

Export Directory against 'ntoskrnl.exe'.

Signed-off-by: Viktor Prutyanov <viktor@daynix.com>

Tested-by: Yuri Benditovich <yuri.benditovich@daynix.com>

Reviewed-by: Annie Li <annie.li@oracle.com>

Message-id: 20230222211246.883679-4-viktor@daynix.com

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

contrib/elf2dmp/pe.h | 15 +++++++++++++++

contrib/elf2dmp/main.c | 28 ++++++++++++++++++++++++++--

2 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/contrib/elf2dmp/pe.h b/contrib/elf2dmp/pe.h

--- a/contrib/elf2dmp/pe.h

+++ b/contrib/elf2dmp/pe.h

@@ -XXX,XX +XXX,XX @@ typedef struct IMAGE_NT_HEADERS64 {

IMAGE_OPTIONAL_HEADER64 OptionalHeader;

} __attribute__ ((packed)) IMAGE_NT_HEADERS64;

+typedef struct IMAGE_EXPORT_DIRECTORY {

+ uint32_t Characteristics;

+ uint32_t TimeDateStamp;

+ uint16_t MajorVersion;

+ uint16_t MinorVersion;

+ uint32_t Name;

+ uint32_t Base;

+ uint32_t NumberOfFunctions;

+ uint32_t NumberOfNames;

+ uint32_t AddressOfFunctions;

+ uint32_t AddressOfNames;

+ uint32_t AddressOfNameOrdinals;

+} __attribute__ ((packed)) IMAGE_EXPORT_DIRECTORY;

+

typedef struct IMAGE_DEBUG_DIRECTORY {

uint32_t Characteristics;

uint32_t TimeDateStamp;

@@ -XXX,XX +XXX,XX @@ typedef struct IMAGE_DEBUG_DIRECTORY {

#define IMAGE_DEBUG_TYPE_CODEVIEW 2

#endif

+#define IMAGE_FILE_EXPORT_DIRECTORY 0

#define IMAGE_FILE_DEBUG_DIRECTORY 6

typedef struct guid_t {

diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c

index XXXXXXX..XXXXXXX 100644

--- a/contrib/elf2dmp/main.c

+++ b/contrib/elf2dmp/main.c

#define SYM_URL_BASE "https://msdl.microsoft.com/download/symbols/"

#define PDB_NAME "ntkrnlmp.pdb"

+#define PE_NAME "ntoskrnl.exe"

#define INITIAL_MXCSR 0x1f80

@@ -XXX,XX +XXX,XX @@ static int write_dump(struct pa_space *ps,

return fclose(dmp_file);

}

+static bool pe_check_export_name(uint64_t base, void *start_addr,

+ struct va_space *vs)

+{

+ IMAGE_EXPORT_DIRECTORY export_dir;

+ const char *pe_name;

+

+ if (pe_get_data_dir_entry(base, start_addr, IMAGE_FILE_EXPORT_DIRECTORY,

+ &export_dir, sizeof(export_dir), vs)) {

+ return false;

+ }

+

+ pe_name = va_space_resolve(vs, base + export_dir.Name);

+ if (!pe_name) {

+ return false;

+ }

+

+ return !strcmp(pe_name, PE_NAME);

+}

+

static int pe_get_pdb_symstore_hash(uint64_t base, void *start_addr,

char *hash, struct va_space *vs)

@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])

uint64_t KdDebuggerDataBlock;

KDDEBUGGER_DATA64 *kdbg;

uint64_t KdVersionBlock;

+ bool kernel_found = false;

if (argc != 3) {

eprintf("usage:\n\t%s elf_file dmp_file\n", argv[0]);

@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])

}

if (*(uint16_t *)nt_start_addr == 0x5a4d) { /* MZ */

- break;

+ if (pe_check_export_name(KernBase, nt_start_addr, &vs)) {

+ kernel_found = true;

+ break;

+ }

}

}

- if (!nt_start_addr) {

+ if (!kernel_found) {

eprintf("Failed to find NT kernel image\n");

err = 1;

goto out_ps;

2.34.1

The i.MX USB Phy driver does not check register ranges, resulting in out of

bounds accesses if an attempt is made to access non-existing PHY registers.

Add range check and conditionally report bad accesses to fix the problem.

While at it, also conditionally log attempted writes to non-existing or

read-only registers.

Reported-by: Qiang Liu <cyruscyliu@gmail.com>

Tested-by: Qiang Liu <cyruscyliu@gmail.com>

Message-id: 20230316234926.208874-1-linux@roeck-us.net

Link: https://gitlab.com/qemu-project/qemu/-/issues/1408

Fixes: 0701a5efa015 ("hw/usb: Add basic i.MX USB Phy support")

Signed-off-by: Guenter Roeck <linux@roeck-us.net>

hw/usb/imx-usb-phy.c | 19 +++++++++++++++++--

1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/hw/usb/imx-usb-phy.c b/hw/usb/imx-usb-phy.c

--- a/hw/usb/imx-usb-phy.c

+++ b/hw/usb/imx-usb-phy.c

@@ -XXX,XX +XXX,XX @@

#include "qemu/osdep.h"

#include "hw/usb/imx-usb-phy.h"

#include "migration/vmstate.h"

+#include "qemu/log.h"

#include "qemu/module.h"

static const VMStateDescription vmstate_imx_usbphy = {

@@ -XXX,XX +XXX,XX @@ static uint64_t imx_usbphy_read(void *opaque, hwaddr offset, unsigned size)

value = s->usbphy[index - 3];

break;

default:

- value = s->usbphy[index];

+ if (index < USBPHY_MAX) {

+ value = s->usbphy[index];

+ } else {

+ qemu_log_mask(LOG_GUEST_ERROR,

+ "%s: Read from non-existing USB PHY register 0x%"

+ HWADDR_PRIx "\n",

+ __func__, offset);

+ value = 0;

+ }

break;

}

return (uint64_t)value;

@@ -XXX,XX +XXX,XX @@ static void imx_usbphy_write(void *opaque, hwaddr offset, uint64_t value,

s->usbphy[index - 3] ^= value;

break;

default:

- /* Other registers are read-only */

+ /* Other registers are read-only or do not exist */

+ qemu_log_mask(LOG_GUEST_ERROR,

+ "%s: Write to %s USB PHY register 0x%"

+ HWADDR_PRIx "\n",

+ __func__,

+ index >= USBPHY_MAX ? "non-existing" : "read-only",

+ offset);

break;

}

}

2.34.1

The markup for the Arm CPU feature documentation is incorrect,

and results in the HTML not rendering correctly -- the first

line of each description is rendered in boldface as if it

were part of the option name.

Message-id: 20230316105808.1414003-1-peter.maydell@linaro.org

Reviewed-by: Cornelia Huck <cohuck@redhat.com>

docs/system/arm/cpu-features.rst | 68 ++++++++++++++------------------

1 file changed, 30 insertions(+), 38 deletions(-)

diff --git a/docs/system/arm/cpu-features.rst b/docs/system/arm/cpu-features.rst

--- a/docs/system/arm/cpu-features.rst

+++ b/docs/system/arm/cpu-features.rst

@@ -XXX,XX +XXX,XX @@ are named with the prefix "kvm-". KVM VCPU features may be probed,

enabled, and disabled in the same way as other CPU features. Below is

the list of KVM VCPU features and their descriptions.

- kvm-no-adjvtime By default kvm-no-adjvtime is disabled. This

- means that by default the virtual time

- adjustment is enabled (vtime is not *not*

- adjusted).

+``kvm-no-adjvtime``

+ By default kvm-no-adjvtime is disabled. This means that by default

+ the virtual time adjustment is enabled (vtime is not *not* adjusted).

- When virtual time adjustment is enabled each

- time the VM transitions back to running state

- the VCPU's virtual counter is updated to ensure

- stopped time is not counted. This avoids time

- jumps surprising guest OSes and applications,

- as long as they use the virtual counter for

- timekeeping. However it has the side effect of

- the virtual and physical counters diverging.

- All timekeeping based on the virtual counter

- will appear to lag behind any timekeeping that

- does not subtract VM stopped time. The guest

- may resynchronize its virtual counter with

- other time sources as needed.

+ When virtual time adjustment is enabled each time the VM transitions

+ back to running state the VCPU's virtual counter is updated to

+ ensure stopped time is not counted. This avoids time jumps

+ surprising guest OSes and applications, as long as they use the

+ virtual counter for timekeeping. However it has the side effect of

+ the virtual and physical counters diverging. All timekeeping based

+ on the virtual counter will appear to lag behind any timekeeping

+ that does not subtract VM stopped time. The guest may resynchronize

+ its virtual counter with other time sources as needed.

- Enable kvm-no-adjvtime to disable virtual time

- adjustment, also restoring the legacy (pre-5.0)

- behavior.

+ Enable kvm-no-adjvtime to disable virtual time adjustment, also

+ restoring the legacy (pre-5.0) behavior.

- kvm-steal-time Since v5.2, kvm-steal-time is enabled by

- default when KVM is enabled, the feature is

- supported, and the guest is 64-bit.

+``kvm-steal-time``

+ Since v5.2, kvm-steal-time is enabled by default when KVM is

+ enabled, the feature is supported, and the guest is 64-bit.

- When kvm-steal-time is enabled a 64-bit guest

- can account for time its CPUs were not running

- due to the host not scheduling the corresponding

- VCPU threads. The accounting statistics may

- influence the guest scheduler behavior and/or be

- exposed to the guest userspace.

+ When kvm-steal-time is enabled a 64-bit guest can account for time

+ its CPUs were not running due to the host not scheduling the

+ corresponding VCPU threads. The accounting statistics may influence

+ the guest scheduler behavior and/or be exposed to the guest

+ userspace.

TCG VCPU Features

=================

@@ -XXX,XX +XXX,XX @@ TCG VCPU Features

TCG VCPU features are CPU features that are specific to TCG.

Below is the list of TCG VCPU features and their descriptions.

- pauth-impdef When ``FEAT_Pauth`` is enabled, either the

- *impdef* (Implementation Defined) algorithm

- is enabled or the *architected* QARMA algorithm

- is enabled. By default the impdef algorithm

- is disabled, and QARMA is enabled.

+``pauth-impdef``

+ When ``FEAT_Pauth`` is enabled, either the *impdef* (Implementation

+ Defined) algorithm is enabled or the *architected* QARMA algorithm

+ is enabled. By default the impdef algorithm is disabled, and QARMA

+ is enabled.

- The architected QARMA algorithm has good

- cryptographic properties, but can be quite slow

- to emulate. The impdef algorithm used by QEMU

- is non-cryptographic but significantly faster.

+ The architected QARMA algorithm has good cryptographic properties,

+ but can be quite slow to emulate. The impdef algorithm used by QEMU

+ is non-cryptographic but significantly faster.

SVE CPU Properties

==================

2.34.1

Unfortunately a bug in older versions of gdb means that they will

crash if QEMU sends them the aarch64-pauth.xml. This bug is fixed in

gdb commit 1ba3a3222039eb25, and there are plans to backport that to

affected gdb release branches, but since the bug affects gdb 9

through 12 it is very widely deployed (for instance by distros).

It is not currently clear what the best way to deal with this is; it

has been proposed to define a new XML feature name that old gdb will

ignore but newer gdb can handle. Since QEMU's 8.0 release is

imminent and at least one of our CI runners is now falling over this,

disable the pauth XML for the moment. We can follow up with a more

considered fix either in time for 8.0 or else for the 8.1 release.

target/arm/gdbstub.c | 7 +++++++

diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c

--- a/target/arm/gdbstub.c

+++ b/target/arm/gdbstub.c