qemu/include/hw
Greg Kurz 37035df51e nvram: Exit QEMU if NVRAM cannot contain all -prom-env data
Since commit 61f20b9dc5 ("spapr_nvram: Pre-initialize the NVRAM to
support the -prom-env parameter"), pseries machines can pre-initialize
the "system" partition in the NVRAM with the data passed to all -prom-env
parameters on the QEMU command line.

In this case it is assumed that all the data fits in 64 KiB, but the user
can easily pass more and crash QEMU:

$ qemu-system-ppc64 -M pseries $(for ((x=0;x<128;x++)); do \
  echo -n " -prom-env " ; printf "%0.sx" {1..1024}; \
  done) # this requires ~128 Kib
malloc(): corrupted top size
Aborted (core dumped)

This happens because we don't check if all the prom-env data fits in
the NVRAM and chrp_nvram_set_var() happily memcpy() it passed the
buffer.

This crash affects basically all ppc/ppc64 machine types that use -prom-env:
- pseries (all versions)
- g3beige
- mac99

and also sparc/sparc64 machine types:
- LX
- SPARCClassic
- SPARCbook
- SS-10
- SS-20
- SS-4
- SS-5
- SS-600MP
- Voyager
- sun4u
- sun4v

Add a max_len argument to chrp_nvram_create_system_partition() so that
it can check the available size before writing to memory.

Since NVRAM is populated at machine init, it seems reasonable to consider
this error as fatal. So, instead of reporting an error when we detect that
the NVRAM is too small and adapt all machine types to handle it, we simply
exit QEMU in all cases. This is still better than crashing. If someone
wants another behavior, I guess this can be reworked later.

Tested with:

$ yes q | \
  (for arch in ppc ppc64 sparc sparc64; do \
       echo == $arch ==; \
       qemu=${arch}-softmmu/qemu-system-$arch; \
       for mach in $($qemu -M help | awk '! /^Supported/ { print $1 }'); do \
           echo $mach; \
           $qemu -M $mach -monitor stdio -nodefaults -nographic \
           $(for ((x=0;x<128;x++)); do \
                 echo -n " -prom-env " ; printf "%0.sx" {1..1024}; \
             done) >/dev/null; \
        done; echo; \
   done)

Without the patch, affected machine types cause QEMU to report some
memory corruption and crash:

malloc(): corrupted top size

free(): invalid size

*** stack smashing detected ***: terminated

With the patch, QEMU prints the following message and exits:

NVRAM is too small. Try to pass less data to -prom-env

It seems that the conditions for the crash have always existed, but it
affects pseries, the machine type I care for, since commit 61f20b9dc5
only.

Fixes: 61f20b9dc5 ("spapr_nvram: Pre-initialize the NVRAM to support the -prom-env parameter")
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1867739
Reported-by: John Snow <jsnow@redhat.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <159736033937.350502.12402444542194031035.stgit@bahia.lan>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2020-08-14 13:34:31 +10:00
..
acpi acpi: Some build_tpm2() code reshape 2020-06-24 17:18:28 -04:00
adc include: Make headers more self-contained 2019-08-16 13:31:51 +02:00
arm hw/intc/armv7m_nvic: Provide default "reset the system" behaviour for SYSRESETREQ 2020-08-03 17:55:03 +01:00
audio qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
block virtio,acpi,pci: fixes, cleanups. 2020-06-25 16:52:42 +01:00
char hw/char: Convert the Ibex UART to use the registerfields API 2020-07-13 17:25:37 -07:00
core cputlb: ensure we save the IOTLB data in case of reset 2020-07-15 11:52:43 +01:00
cpu Include hw/qdev-properties.h less 2019-08-16 13:31:53 +02:00
cris sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
display qom/object: Move Object typedef to 'qemu/typedefs.h' 2020-06-10 12:09:36 -04:00
dma hw/arm/bcm283x: Correct the license text 2020-03-23 17:22:30 +00:00
firmware
gpio nrf51: Fix last GPIO CNF address 2020-04-30 11:52:27 +01:00
hyperv hyperv: vmbus: Remove the 2nd IRQ 2020-06-26 09:39:40 -04:00
i2c hw/i2c: Document the I2C qdev helpers 2020-07-16 12:30:54 -05:00
i386 * Make checkpatch say 'qemu' instead of 'kernel' (Aleksandar) 2020-07-11 16:52:24 +01:00
ide hw/ide: Make IDEDMAOps handlers take a const IDEDMA pointer 2020-06-17 14:53:39 +02:00
input adb: add autopoll_blocked variable to block autopoll 2020-06-26 10:13:51 +01:00
intc hw/intc: RX62N interrupt controller (ICUa) 2020-06-22 18:37:12 +02:00
ipack Include hw/qdev-properties.h less 2019-08-16 13:31:53 +02:00
ipmi ipmi: Add support to customize OEM functions 2019-12-17 10:39:47 +11:00
isa isa: isa_create(), isa_try_create() are now unused, drop 2020-06-15 22:05:28 +02:00
kvm
lm32
m68k m68k: Add NeXTcube machine 2019-09-07 08:31:51 +02:00
mem hw/acpi/nvdimm: add a helper to augment SRAT generation 2020-06-09 11:17:59 -04:00
mips Include hw/irq.h a lot less 2019-08-16 13:31:52 +02:00
misc hw/misc: avr: Add limited support for power reduction device 2020-07-11 11:02:05 +02:00
net Add a phy-num property to the i.MX FEC emulator 2020-07-03 16:59:41 +01:00
nubus hw/m68k: add Nubus support 2019-10-28 19:06:47 +01:00
nvram nvram: Exit QEMU if NVRAM cannot contain all -prom-env data 2020-08-14 13:34:31 +10:00
pci hw/pci-host: save/restore pci host config register 2020-07-27 10:24:39 -04:00
pci-bridge
pci-host spapr: Add a new level of NUMA for GPUs 2020-07-20 09:21:39 +10:00
ppc spapr/xive: Simplify error handling of kvmppc_xive_cpu_synchronize_state() 2020-08-13 21:09:38 +10:00
rdma
riscv riscv: Add opensbi firmware dynamic support 2020-07-13 17:25:37 -07:00
rtc goldfish_rtc: Fix non-atomic read behaviour of TIME_LOW/TIME_HIGH 2020-07-22 09:39:46 -07:00
rx hw/rx: Add RX GDB simulator 2020-06-22 18:37:12 +02:00
s390x s390x/css: Refactor the css_queue_crw() routine 2020-06-18 12:13:54 +02:00
scsi qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
sd sd: sdhci: Implement basic vendor specific register support 2020-06-16 10:32:29 +01:00
semihosting semihosting: add qemu_semihosting_console_inc for SYS_READC 2020-01-09 11:41:29 +00:00
sh4 hw/sh4: Extract timer definitions to 'hw/timer/tmu012.h' 2020-06-22 18:37:12 +02:00
southbridge hw/ide: Do ide_drive_get() within pci_ide_create_devs() 2020-03-17 12:22:36 -04:00
sparc Include hw/qdev-properties.h less 2019-08-16 13:31:53 +02:00
ssi Replace uses of FROM_SSI_SLAVE() macro with QOM casts 2020-07-03 16:59:46 +01:00
timer hw/timer: avr: Add limited support for 16-bit timer peripheral 2020-07-11 11:02:05 +02:00
tricore Include hw/irq.h a lot less 2019-08-16 13:31:52 +02:00
unicore32
usb exec/cpu-common: Move MUSB specific typedefs to 'hw/usb/hcd-musb.h' 2020-06-12 11:20:15 -04:00
vfio vfio: Convert to ram_block_discard_disable() 2020-07-02 05:54:59 -04:00
virtio virtio-pci: fix virtio_pci_queue_enabled() 2020-07-27 11:34:50 -04:00
watchdog hw/watchdog: Implement full i.MX watchdog support 2020-05-21 20:00:18 +01:00
xen accel: Move Xen accelerator code under accel/xen/ 2020-06-10 12:09:56 -04:00
xtensa Include hw/irq.h a lot less 2019-08-16 13:31:52 +02:00
boards.h numa: Auto-enable NUMA when any memory devices are possible 2020-07-03 07:57:04 -04:00
clock.h hw/core/clock-vmstate: define a vmstate entry for clock state 2020-04-30 15:35:40 +01:00
elf_ops.h hw/elf_ops: Do not ignore write failures when loading ELF 2020-06-10 12:10:23 -04:00
fw-path-provider.h
hotplug.h
hw.h Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
ide.h hw/ide: Move MAX_IDE_DEVS define to hw/ide/internal.h 2020-03-17 12:22:36 -04:00
irq.h include/hw/irq.h: New function qemu_irq_is_connected() 2020-08-03 17:55:03 +01:00
loader-fit.h
loader.h hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
nmi.h hw/nmi: Fix the NMI() macro, based on INTERFACE_CHECK() 2020-02-28 14:57:19 -05:00
or-irq.h hw/core/or-irq: Increase limit of or-lines to 48 2020-01-23 16:34:15 +00:00
pcmcia.h Include hw/qdev-properties.h less 2019-08-16 13:31:53 +02:00
platform-bus.h
ptimer.h ptimer: Remove old ptimer_init_with_bh() API 2019-11-11 13:44:16 +00:00
qdev-clock.h qdev-clock: introduce an init array to ease the device construction 2020-04-30 15:35:40 +01:00
qdev-core.h qdev: Document GPIO related functions 2020-07-20 11:35:17 +01:00
qdev-dma.h
qdev-properties.h qdev: Move doc comments from qdev.c to qdev-core.h 2020-07-20 11:35:17 +01:00
register.h hw/core/register: Add register_init_block8 helper. 2020-05-05 13:37:51 -07:00
registerfields.h hw/registerfields: Prefix local variables with underscore in macros 2020-05-27 11:23:07 -07:00
resettable.h hw/core: deprecate old reset functions and introduce new ones 2020-01-30 16:02:04 +00:00
stream.h hw/core: stream: Add an end-of-packet flag 2020-05-14 13:44:35 +02:00
sysbus.h sysbus: sysbus_init_child_obj() is now unused, drop 2020-06-15 22:06:04 +02:00
usb.h usb: usb_create() is now unused, drop 2020-06-15 22:05:28 +02:00
vmstate-if.h vmstate: add qom interface to get id 2020-01-06 18:41:32 +04:00