tools/firmware/hvmloader/hvmloader.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
In order to get the CNT value from QEMU, we were supposed to read a
word, according to the implementation in QEMU. But it has been lax and
allowed to read a single byte. This has changed with commit
5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in
memory_region_access_valid"") and result in hvmloader crashing on
the BUG_ON.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
---
I'll try to have the QEMU implementation changes to allow reading a
byte, but it would probably by nice to not have to change qemu.
---
tools/firmware/hvmloader/hvmloader.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/firmware/hvmloader/hvmloader.c b/tools/firmware/hvmloader/hvmloader.c
index 598a22627872..bdcbe4a26664 100644
--- a/tools/firmware/hvmloader/hvmloader.c
+++ b/tools/firmware/hvmloader/hvmloader.c
@@ -256,7 +256,7 @@ static const struct bios_config *detect_bios(void)
static void acpi_enable_sci(void)
{
- uint8_t pm1a_cnt_val;
+ uint16_t pm1a_cnt_val;
#define PIIX4_SMI_CMD_IOPORT 0xb2
#define PIIX4_ACPI_ENABLE 0xf1
@@ -265,11 +265,11 @@ static void acpi_enable_sci(void)
* PIIX4 emulation in QEMU has SCI_EN=0 by default. We have no legacy
* SMM implementation, so give ACPI control to the OSPM immediately.
*/
- pm1a_cnt_val = inb(ACPI_PM1A_CNT_BLK_ADDRESS_V1);
+ pm1a_cnt_val = inw(ACPI_PM1A_CNT_BLK_ADDRESS_V1);
if ( !(pm1a_cnt_val & ACPI_PM1C_SCI_EN) )
outb(PIIX4_SMI_CMD_IOPORT, PIIX4_ACPI_ENABLE);
- pm1a_cnt_val = inb(ACPI_PM1A_CNT_BLK_ADDRESS_V1);
+ pm1a_cnt_val = inw(ACPI_PM1A_CNT_BLK_ADDRESS_V1);
BUG_ON(!(pm1a_cnt_val & ACPI_PM1C_SCI_EN));
}
--
Anthony PERARD
On Tue, Jun 30, 2020 at 06:09:13PM +0100, Anthony PERARD wrote:
> In order to get the CNT value from QEMU, we were supposed to read a
> word, according to the implementation in QEMU. But it has been lax and
> allowed to read a single byte. This has changed with commit
> 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in
> memory_region_access_valid"") and result in hvmloader crashing on
> the BUG_ON.
This is a bug on the QEMU side, the ACPI spec states: "Accesses to PM1
control registers are accessed through byte and word accesses.".
That's on section 4.8.3.2.1 PM1 Control Registers of my copy of the
ACPI spec (6.2A).
>
> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
I'm fine with this if such bogus behavior has made it's way into a
release version of QEMU, but it needs to state it's a workaround for a
QEMU bug, not a bug in hvmloader.
IMO the QEMU change should be reverted.
Thanks, Roger.
On Wed, Jul 01, 2020 at 09:52:57AM +0200, Roger Pau Monné wrote:
> On Tue, Jun 30, 2020 at 06:09:13PM +0100, Anthony PERARD wrote:
> > In order to get the CNT value from QEMU, we were supposed to read a
> > word, according to the implementation in QEMU. But it has been lax and
> > allowed to read a single byte. This has changed with commit
> > 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in
> > memory_region_access_valid"") and result in hvmloader crashing on
> > the BUG_ON.
>
> This is a bug on the QEMU side, the ACPI spec states: "Accesses to PM1
> control registers are accessed through byte and word accesses.".
> That's on section 4.8.3.2.1 PM1 Control Registers of my copy of the
> ACPI spec (6.2A).
I guess we can ignore this patch then, and I should write a patch for
QEMU instead.
> I'm fine with this if such bogus behavior has made it's way into a
> release version of QEMU, but it needs to state it's a workaround for a
> QEMU bug, not a bug in hvmloader.
It hasn't, but might.
> IMO the QEMU change should be reverted.
The change can't be reverted, it is to fix a CVE and isn't related to
ACPI. But we can fix the emulator.
> Thanks, Roger.
Thanks,
--
Anthony PERARD
© 2016 - 2024 Red Hat, Inc.