From 0b903369951cac12ccdfc66a7520b413eca1bb62 Mon Sep 17 00:00:00 2001 From: Chen Baozi Date: Mon, 13 Mar 2023 11:39:36 +0800 Subject: [PATCH 1/8] target/arm: Add Neoverse-N1 registers Add implementation defined registers for neoverse-n1 which would be accessed by TF-A. Since there is no DSU in Qemu, CPUCFR_EL1.SCU bit is set to 1 to avoid DSU registers definition. Signed-off-by: Chen Baozi Reviewed-by: Peter Maydell Tested-by: Marcin Juszkiewicz Message-id: 20230313033936.585669-1-chenbaozi@phytium.com.cn Signed-off-by: Peter Maydell --- target/arm/cpu64.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c index 4066950da1..0fb07cc7b6 100644 --- a/target/arm/cpu64.c +++ b/target/arm/cpu64.c @@ -21,6 +21,7 @@ #include "qemu/osdep.h" #include "qapi/error.h" #include "cpu.h" +#include "cpregs.h" #include "qemu/module.h" #include "sysemu/kvm.h" #include "sysemu/hvf.h" @@ -1027,6 +1028,72 @@ static void aarch64_a64fx_initfn(Object *obj) /* TODO: Add A64FX specific HPC extension registers */ } +static const ARMCPRegInfo neoverse_n1_cp_reginfo[] = { + { .name = "ATCR_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 7, .opc2 = 0, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "ATCR_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 7, .opc2 = 0, + .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "ATCR_EL3", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 7, .opc2 = 0, + .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "ATCR_EL12", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 5, .crn = 15, .crm = 7, .opc2 = 0, + .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "AVTCR_EL2", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 7, .opc2 = 1, + .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "CPUACTLR_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 0, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "CPUACTLR2_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 1, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "CPUACTLR3_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 2, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + /* + * Report CPUCFR_EL1.SCU as 1, as we do not implement the DSU + * (and in particular its system registers). + */ + { .name = "CPUCFR_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 0, .opc2 = 0, + .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 4 }, + { .name = "CPUECTLR_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 4, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0x961563010 }, + { .name = "CPUPCR_EL3", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 1, + .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "CPUPMR_EL3", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 3, + .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "CPUPOR_EL3", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 2, + .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "CPUPSELR_EL3", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 0, + .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "CPUPWRCTLR_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 7, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "ERXPFGCDN_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 2, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "ERXPFGCTL_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 1, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + { .name = "ERXPFGF_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 0, + .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, +}; + +static void define_neoverse_n1_cp_reginfo(ARMCPU *cpu) +{ + define_arm_cp_regs(cpu, neoverse_n1_cp_reginfo); +} + static void aarch64_neoverse_n1_initfn(Object *obj) { ARMCPU *cpu = ARM_CPU(obj); @@ -1094,6 +1161,8 @@ static void aarch64_neoverse_n1_initfn(Object *obj) /* From D5.1 AArch64 PMU register summary */ cpu->isar.reset_pmcr_el0 = 0x410c3000; + + define_neoverse_n1_cp_reginfo(cpu); } static void aarch64_host_initfn(Object *obj) From 0c88f93788d33795a4c14a0ca999607a6546f8b8 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 14 Mar 2023 17:08:04 +0000 Subject: [PATCH 2/8] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The cadence UART attempts to avoid allowing the guest to set invalid baud rate register values in the uart_write() function. However it does the "mask to the size of the register field" and "check for invalid values" in the wrong order, which means that a malicious guest can get a bogus value into the register by setting also some high bits in the value, and cause QEMU to crash by division-by-zero. Do the mask before the bounds check instead of afterwards. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 Signed-off-by: Peter Maydell Reviewed-by: Thomas Huth Reviewed-by: Edgar E. Iglesias Reviewed-by: Wilfred Mallawa Reviewed-by: Alistair Francis Reviewed-by: Philippe Mathieu-Daudé Tested-by: Qiang Liu Message-id: 20230314170804.1196232-1-peter.maydell@linaro.org --- hw/char/cadence_uart.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c index c069a30842..807e398541 100644 --- a/hw/char/cadence_uart.c +++ b/hw/char/cadence_uart.c @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset, } break; case R_BRGR: /* Baud rate generator */ + value &= 0xffff; if (value >= 0x01) { - s->r[offset] = value & 0xFFFF; + s->r[offset] = value; } break; case R_BDIV: /* Baud rate divider */ + value &= 0xff; if (value >= 0x04) { - s->r[offset] = value & 0xFF; + s->r[offset] = value; } break; default: From 05adc48e1d60ebef57ca78626fbfce895a15664d Mon Sep 17 00:00:00 2001 From: Viktor Prutyanov Date: Thu, 23 Feb 2023 00:12:44 +0300 Subject: [PATCH 3/8] contrib/elf2dmp: fix code style Originally elf2dmp were added with some code style issues, especially in pe.h header, and some were introduced by 2d0fc797faaa73fbc1d30f5f9e90407bf3dd93f0. Fix them now. Signed-off-by: Viktor Prutyanov Reviewed-by: Annie Li Message-id: 20230222211246.883679-2-viktor@daynix.com Signed-off-by: Peter Maydell --- contrib/elf2dmp/addrspace.c | 1 + contrib/elf2dmp/main.c | 9 ++-- contrib/elf2dmp/pe.h | 100 ++++++++++++++++++------------------ 3 files changed, 57 insertions(+), 53 deletions(-) diff --git a/contrib/elf2dmp/addrspace.c b/contrib/elf2dmp/addrspace.c index 53ded17061..0b04cba00e 100644 --- a/contrib/elf2dmp/addrspace.c +++ b/contrib/elf2dmp/addrspace.c @@ -11,6 +11,7 @@ static struct pa_block *pa_space_find_block(struct pa_space *ps, uint64_t pa) { size_t i; + for (i = 0; i < ps->block_nr; i++) { if (ps->block[i].paddr <= pa && pa <= ps->block[i].paddr + ps->block[i].size) { diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c index d77b8f98f7..9224764239 100644 --- a/contrib/elf2dmp/main.c +++ b/contrib/elf2dmp/main.c @@ -282,14 +282,16 @@ static int fill_header(WinDumpHeader64 *hdr, struct pa_space *ps, }; for (i = 0; i < ps->block_nr; i++) { - h.PhysicalMemoryBlock.NumberOfPages += ps->block[i].size / ELF2DMP_PAGE_SIZE; + h.PhysicalMemoryBlock.NumberOfPages += + ps->block[i].size / ELF2DMP_PAGE_SIZE; h.PhysicalMemoryBlock.Run[i] = (WinDumpPhyMemRun64) { .BasePage = ps->block[i].paddr / ELF2DMP_PAGE_SIZE, .PageCount = ps->block[i].size / ELF2DMP_PAGE_SIZE, }; } - h.RequiredDumpSpace += h.PhysicalMemoryBlock.NumberOfPages << ELF2DMP_PAGE_BITS; + h.RequiredDumpSpace += + h.PhysicalMemoryBlock.NumberOfPages << ELF2DMP_PAGE_BITS; *hdr = h; @@ -299,7 +301,8 @@ static int fill_header(WinDumpHeader64 *hdr, struct pa_space *ps, static int fill_context(KDDEBUGGER_DATA64 *kdbg, struct va_space *vs, QEMU_Elf *qe) { - int i; + int i; + for (i = 0; i < qe->state_nr; i++) { uint64_t Prcb; uint64_t Context; diff --git a/contrib/elf2dmp/pe.h b/contrib/elf2dmp/pe.h index c2a4a6ba7c..807d006364 100644 --- a/contrib/elf2dmp/pe.h +++ b/contrib/elf2dmp/pe.h @@ -33,70 +33,70 @@ typedef struct IMAGE_DOS_HEADER { } __attribute__ ((packed)) IMAGE_DOS_HEADER; typedef struct IMAGE_FILE_HEADER { - uint16_t Machine; - uint16_t NumberOfSections; - uint32_t TimeDateStamp; - uint32_t PointerToSymbolTable; - uint32_t NumberOfSymbols; - uint16_t SizeOfOptionalHeader; - uint16_t Characteristics; + uint16_t Machine; + uint16_t NumberOfSections; + uint32_t TimeDateStamp; + uint32_t PointerToSymbolTable; + uint32_t NumberOfSymbols; + uint16_t SizeOfOptionalHeader; + uint16_t Characteristics; } __attribute__ ((packed)) IMAGE_FILE_HEADER; typedef struct IMAGE_DATA_DIRECTORY { - uint32_t VirtualAddress; - uint32_t Size; + uint32_t VirtualAddress; + uint32_t Size; } __attribute__ ((packed)) IMAGE_DATA_DIRECTORY; #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 typedef struct IMAGE_OPTIONAL_HEADER64 { - uint16_t Magic; /* 0x20b */ - uint8_t MajorLinkerVersion; - uint8_t MinorLinkerVersion; - uint32_t SizeOfCode; - uint32_t SizeOfInitializedData; - uint32_t SizeOfUninitializedData; - uint32_t AddressOfEntryPoint; - uint32_t BaseOfCode; - uint64_t ImageBase; - uint32_t SectionAlignment; - uint32_t FileAlignment; - uint16_t MajorOperatingSystemVersion; - uint16_t MinorOperatingSystemVersion; - uint16_t MajorImageVersion; - uint16_t MinorImageVersion; - uint16_t MajorSubsystemVersion; - uint16_t MinorSubsystemVersion; - uint32_t Win32VersionValue; - uint32_t SizeOfImage; - uint32_t SizeOfHeaders; - uint32_t CheckSum; - uint16_t Subsystem; - uint16_t DllCharacteristics; - uint64_t SizeOfStackReserve; - uint64_t SizeOfStackCommit; - uint64_t SizeOfHeapReserve; - uint64_t SizeOfHeapCommit; - uint32_t LoaderFlags; - uint32_t NumberOfRvaAndSizes; - IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; + uint16_t Magic; /* 0x20b */ + uint8_t MajorLinkerVersion; + uint8_t MinorLinkerVersion; + uint32_t SizeOfCode; + uint32_t SizeOfInitializedData; + uint32_t SizeOfUninitializedData; + uint32_t AddressOfEntryPoint; + uint32_t BaseOfCode; + uint64_t ImageBase; + uint32_t SectionAlignment; + uint32_t FileAlignment; + uint16_t MajorOperatingSystemVersion; + uint16_t MinorOperatingSystemVersion; + uint16_t MajorImageVersion; + uint16_t MinorImageVersion; + uint16_t MajorSubsystemVersion; + uint16_t MinorSubsystemVersion; + uint32_t Win32VersionValue; + uint32_t SizeOfImage; + uint32_t SizeOfHeaders; + uint32_t CheckSum; + uint16_t Subsystem; + uint16_t DllCharacteristics; + uint64_t SizeOfStackReserve; + uint64_t SizeOfStackCommit; + uint64_t SizeOfHeapReserve; + uint64_t SizeOfHeapCommit; + uint32_t LoaderFlags; + uint32_t NumberOfRvaAndSizes; + IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } __attribute__ ((packed)) IMAGE_OPTIONAL_HEADER64; typedef struct IMAGE_NT_HEADERS64 { - uint32_t Signature; - IMAGE_FILE_HEADER FileHeader; - IMAGE_OPTIONAL_HEADER64 OptionalHeader; + uint32_t Signature; + IMAGE_FILE_HEADER FileHeader; + IMAGE_OPTIONAL_HEADER64 OptionalHeader; } __attribute__ ((packed)) IMAGE_NT_HEADERS64; typedef struct IMAGE_DEBUG_DIRECTORY { - uint32_t Characteristics; - uint32_t TimeDateStamp; - uint16_t MajorVersion; - uint16_t MinorVersion; - uint32_t Type; - uint32_t SizeOfData; - uint32_t AddressOfRawData; - uint32_t PointerToRawData; + uint32_t Characteristics; + uint32_t TimeDateStamp; + uint16_t MajorVersion; + uint16_t MinorVersion; + uint32_t Type; + uint32_t SizeOfData; + uint32_t AddressOfRawData; + uint32_t PointerToRawData; } __attribute__ ((packed)) IMAGE_DEBUG_DIRECTORY; #define IMAGE_DEBUG_TYPE_CODEVIEW 2 From 06ac60b73e6abe1209d0ed1aca69d7f79f95b30b Mon Sep 17 00:00:00 2001 From: Viktor Prutyanov Date: Thu, 23 Feb 2023 00:12:45 +0300 Subject: [PATCH 4/8] contrib/elf2dmp: move PE dir search to pe_get_data_dir_entry Move out PE directory search functionality to be reused not only for Debug Directory processing but for arbitrary PE directory. Signed-off-by: Viktor Prutyanov Reviewed-by: Annie Li Message-id: 20230222211246.883679-3-viktor@daynix.com Signed-off-by: Peter Maydell --- contrib/elf2dmp/main.c | 71 +++++++++++++++++++++++++----------------- 1 file changed, 42 insertions(+), 29 deletions(-) diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c index 9224764239..2f6028d8eb 100644 --- a/contrib/elf2dmp/main.c +++ b/contrib/elf2dmp/main.c @@ -333,6 +333,45 @@ static int fill_context(KDDEBUGGER_DATA64 *kdbg, return 0; } +static int pe_get_data_dir_entry(uint64_t base, void *start_addr, int idx, + void *entry, size_t size, struct va_space *vs) +{ + const char e_magic[2] = "MZ"; + const char Signature[4] = "PE\0\0"; + IMAGE_DOS_HEADER *dos_hdr = start_addr; + IMAGE_NT_HEADERS64 nt_hdrs; + IMAGE_FILE_HEADER *file_hdr = &nt_hdrs.FileHeader; + IMAGE_OPTIONAL_HEADER64 *opt_hdr = &nt_hdrs.OptionalHeader; + IMAGE_DATA_DIRECTORY *data_dir = nt_hdrs.OptionalHeader.DataDirectory; + + QEMU_BUILD_BUG_ON(sizeof(*dos_hdr) >= ELF2DMP_PAGE_SIZE); + + if (memcmp(&dos_hdr->e_magic, e_magic, sizeof(e_magic))) { + return 1; + } + + if (va_space_rw(vs, base + dos_hdr->e_lfanew, + &nt_hdrs, sizeof(nt_hdrs), 0)) { + return 1; + } + + if (memcmp(&nt_hdrs.Signature, Signature, sizeof(Signature)) || + file_hdr->Machine != 0x8664 || opt_hdr->Magic != 0x020b) { + return 1; + } + + if (va_space_rw(vs, + base + data_dir[idx].VirtualAddress, + entry, size, 0)) { + return 1; + } + + printf("Data directory entry #%d: RVA = 0x%08"PRIx32"\n", idx, + (uint32_t)data_dir[idx].VirtualAddress); + + return 0; +} + static int write_dump(struct pa_space *ps, WinDumpHeader64 *hdr, const char *name) { @@ -369,42 +408,16 @@ static int write_dump(struct pa_space *ps, static int pe_get_pdb_symstore_hash(uint64_t base, void *start_addr, char *hash, struct va_space *vs) { - const char e_magic[2] = "MZ"; - const char Signature[4] = "PE\0\0"; const char sign_rsds[4] = "RSDS"; - IMAGE_DOS_HEADER *dos_hdr = start_addr; - IMAGE_NT_HEADERS64 nt_hdrs; - IMAGE_FILE_HEADER *file_hdr = &nt_hdrs.FileHeader; - IMAGE_OPTIONAL_HEADER64 *opt_hdr = &nt_hdrs.OptionalHeader; - IMAGE_DATA_DIRECTORY *data_dir = nt_hdrs.OptionalHeader.DataDirectory; IMAGE_DEBUG_DIRECTORY debug_dir; OMFSignatureRSDS rsds; char *pdb_name; size_t pdb_name_sz; size_t i; - QEMU_BUILD_BUG_ON(sizeof(*dos_hdr) >= ELF2DMP_PAGE_SIZE); - - if (memcmp(&dos_hdr->e_magic, e_magic, sizeof(e_magic))) { - return 1; - } - - if (va_space_rw(vs, base + dos_hdr->e_lfanew, - &nt_hdrs, sizeof(nt_hdrs), 0)) { - return 1; - } - - if (memcmp(&nt_hdrs.Signature, Signature, sizeof(Signature)) || - file_hdr->Machine != 0x8664 || opt_hdr->Magic != 0x020b) { - return 1; - } - - printf("Debug Directory RVA = 0x%08"PRIx32"\n", - (uint32_t)data_dir[IMAGE_FILE_DEBUG_DIRECTORY].VirtualAddress); - - if (va_space_rw(vs, - base + data_dir[IMAGE_FILE_DEBUG_DIRECTORY].VirtualAddress, - &debug_dir, sizeof(debug_dir), 0)) { + if (pe_get_data_dir_entry(base, start_addr, IMAGE_FILE_DEBUG_DIRECTORY, + &debug_dir, sizeof(debug_dir), vs)) { + eprintf("Failed to get Debug Directory\n"); return 1; } From d399d6b179f07b9904de0e76d06c77a3d0a66b51 Mon Sep 17 00:00:00 2001 From: Viktor Prutyanov Date: Thu, 23 Feb 2023 00:12:46 +0300 Subject: [PATCH 5/8] contrib/elf2dmp: add PE name check and Windows Server 2022 support Since its inception elf2dmp has checked MZ signatures within an address space above IDT[0] interrupt vector and took first PE image found as Windows Kernel. But in Windows Server 2022 memory dump this address space range is full of invalid PE fragments and the tool must check that PE image is 'ntoskrnl.exe' actually. So, introduce additional validation by checking image name from Export Directory against 'ntoskrnl.exe'. Signed-off-by: Viktor Prutyanov Tested-by: Yuri Benditovich Reviewed-by: Annie Li Message-id: 20230222211246.883679-4-viktor@daynix.com Signed-off-by: Peter Maydell --- contrib/elf2dmp/main.c | 28 ++++++++++++++++++++++++++-- contrib/elf2dmp/pe.h | 15 +++++++++++++++ 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c index 2f6028d8eb..89f0c69ab0 100644 --- a/contrib/elf2dmp/main.c +++ b/contrib/elf2dmp/main.c @@ -17,6 +17,7 @@ #define SYM_URL_BASE "https://msdl.microsoft.com/download/symbols/" #define PDB_NAME "ntkrnlmp.pdb" +#define PE_NAME "ntoskrnl.exe" #define INITIAL_MXCSR 0x1f80 @@ -405,6 +406,25 @@ static int write_dump(struct pa_space *ps, return fclose(dmp_file); } +static bool pe_check_export_name(uint64_t base, void *start_addr, + struct va_space *vs) +{ + IMAGE_EXPORT_DIRECTORY export_dir; + const char *pe_name; + + if (pe_get_data_dir_entry(base, start_addr, IMAGE_FILE_EXPORT_DIRECTORY, + &export_dir, sizeof(export_dir), vs)) { + return false; + } + + pe_name = va_space_resolve(vs, base + export_dir.Name); + if (!pe_name) { + return false; + } + + return !strcmp(pe_name, PE_NAME); +} + static int pe_get_pdb_symstore_hash(uint64_t base, void *start_addr, char *hash, struct va_space *vs) { @@ -489,6 +509,7 @@ int main(int argc, char *argv[]) uint64_t KdDebuggerDataBlock; KDDEBUGGER_DATA64 *kdbg; uint64_t KdVersionBlock; + bool kernel_found = false; if (argc != 3) { eprintf("usage:\n\t%s elf_file dmp_file\n", argv[0]); @@ -536,11 +557,14 @@ int main(int argc, char *argv[]) } if (*(uint16_t *)nt_start_addr == 0x5a4d) { /* MZ */ - break; + if (pe_check_export_name(KernBase, nt_start_addr, &vs)) { + kernel_found = true; + break; + } } } - if (!nt_start_addr) { + if (!kernel_found) { eprintf("Failed to find NT kernel image\n"); err = 1; goto out_ps; diff --git a/contrib/elf2dmp/pe.h b/contrib/elf2dmp/pe.h index 807d006364..71126af1ac 100644 --- a/contrib/elf2dmp/pe.h +++ b/contrib/elf2dmp/pe.h @@ -88,6 +88,20 @@ typedef struct IMAGE_NT_HEADERS64 { IMAGE_OPTIONAL_HEADER64 OptionalHeader; } __attribute__ ((packed)) IMAGE_NT_HEADERS64; +typedef struct IMAGE_EXPORT_DIRECTORY { + uint32_t Characteristics; + uint32_t TimeDateStamp; + uint16_t MajorVersion; + uint16_t MinorVersion; + uint32_t Name; + uint32_t Base; + uint32_t NumberOfFunctions; + uint32_t NumberOfNames; + uint32_t AddressOfFunctions; + uint32_t AddressOfNames; + uint32_t AddressOfNameOrdinals; +} __attribute__ ((packed)) IMAGE_EXPORT_DIRECTORY; + typedef struct IMAGE_DEBUG_DIRECTORY { uint32_t Characteristics; uint32_t TimeDateStamp; @@ -102,6 +116,7 @@ typedef struct IMAGE_DEBUG_DIRECTORY { #define IMAGE_DEBUG_TYPE_CODEVIEW 2 #endif +#define IMAGE_FILE_EXPORT_DIRECTORY 0 #define IMAGE_FILE_DEBUG_DIRECTORY 6 typedef struct guid_t { From 3202b2628b470a2e44f3cc7b9582c724fe654bd1 Mon Sep 17 00:00:00 2001 From: Guenter Roeck Date: Thu, 16 Mar 2023 16:49:26 -0700 Subject: [PATCH 6/8] hw/usb/imx: Fix out of bounds access in imx_usbphy_read() The i.MX USB Phy driver does not check register ranges, resulting in out of bounds accesses if an attempt is made to access non-existing PHY registers. Add range check and conditionally report bad accesses to fix the problem. While at it, also conditionally log attempted writes to non-existing or read-only registers. Reported-by: Qiang Liu Signed-off-by: Guenter Roeck Tested-by: Qiang Liu Message-id: 20230316234926.208874-1-linux@roeck-us.net Link: https://gitlab.com/qemu-project/qemu/-/issues/1408 Fixes: 0701a5efa015 ("hw/usb: Add basic i.MX USB Phy support") Signed-off-by: Guenter Roeck Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/usb/imx-usb-phy.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/hw/usb/imx-usb-phy.c b/hw/usb/imx-usb-phy.c index 5d7a549e34..1a97b36a11 100644 --- a/hw/usb/imx-usb-phy.c +++ b/hw/usb/imx-usb-phy.c @@ -13,6 +13,7 @@ #include "qemu/osdep.h" #include "hw/usb/imx-usb-phy.h" #include "migration/vmstate.h" +#include "qemu/log.h" #include "qemu/module.h" static const VMStateDescription vmstate_imx_usbphy = { @@ -90,7 +91,15 @@ static uint64_t imx_usbphy_read(void *opaque, hwaddr offset, unsigned size) value = s->usbphy[index - 3]; break; default: - value = s->usbphy[index]; + if (index < USBPHY_MAX) { + value = s->usbphy[index]; + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Read from non-existing USB PHY register 0x%" + HWADDR_PRIx "\n", + __func__, offset); + value = 0; + } break; } return (uint64_t)value; @@ -168,7 +177,13 @@ static void imx_usbphy_write(void *opaque, hwaddr offset, uint64_t value, s->usbphy[index - 3] ^= value; break; default: - /* Other registers are read-only */ + /* Other registers are read-only or do not exist */ + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Write to %s USB PHY register 0x%" + HWADDR_PRIx "\n", + __func__, + index >= USBPHY_MAX ? "non-existing" : "read-only", + offset); break; } } From d4e2cc9aa4f2c8c4782fd18aa25e76d26e98111c Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Thu, 16 Mar 2023 10:58:08 +0000 Subject: [PATCH 7/8] docs/system/arm/cpu-features.rst: Fix formatting The markup for the Arm CPU feature documentation is incorrect, and results in the HTML not rendering correctly -- the first line of each description is rendered in boldface as if it were part of the option name. Reformat to match the styling used in cpu-models-x86.rst.inc. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1479 Signed-off-by: Peter Maydell Message-id: 20230316105808.1414003-1-peter.maydell@linaro.org Reviewed-by: Cornelia Huck --- docs/system/arm/cpu-features.rst | 68 ++++++++++++++------------------ 1 file changed, 30 insertions(+), 38 deletions(-) diff --git a/docs/system/arm/cpu-features.rst b/docs/system/arm/cpu-features.rst index 00c444042f..f4524b6d3e 100644 --- a/docs/system/arm/cpu-features.rst +++ b/docs/system/arm/cpu-features.rst @@ -177,39 +177,32 @@ are named with the prefix "kvm-". KVM VCPU features may be probed, enabled, and disabled in the same way as other CPU features. Below is the list of KVM VCPU features and their descriptions. - kvm-no-adjvtime By default kvm-no-adjvtime is disabled. This - means that by default the virtual time - adjustment is enabled (vtime is not *not* - adjusted). +``kvm-no-adjvtime`` + By default kvm-no-adjvtime is disabled. This means that by default + the virtual time adjustment is enabled (vtime is not *not* adjusted). - When virtual time adjustment is enabled each - time the VM transitions back to running state - the VCPU's virtual counter is updated to ensure - stopped time is not counted. This avoids time - jumps surprising guest OSes and applications, - as long as they use the virtual counter for - timekeeping. However it has the side effect of - the virtual and physical counters diverging. - All timekeeping based on the virtual counter - will appear to lag behind any timekeeping that - does not subtract VM stopped time. The guest - may resynchronize its virtual counter with - other time sources as needed. + When virtual time adjustment is enabled each time the VM transitions + back to running state the VCPU's virtual counter is updated to + ensure stopped time is not counted. This avoids time jumps + surprising guest OSes and applications, as long as they use the + virtual counter for timekeeping. However it has the side effect of + the virtual and physical counters diverging. All timekeeping based + on the virtual counter will appear to lag behind any timekeeping + that does not subtract VM stopped time. The guest may resynchronize + its virtual counter with other time sources as needed. - Enable kvm-no-adjvtime to disable virtual time - adjustment, also restoring the legacy (pre-5.0) - behavior. + Enable kvm-no-adjvtime to disable virtual time adjustment, also + restoring the legacy (pre-5.0) behavior. - kvm-steal-time Since v5.2, kvm-steal-time is enabled by - default when KVM is enabled, the feature is - supported, and the guest is 64-bit. +``kvm-steal-time`` + Since v5.2, kvm-steal-time is enabled by default when KVM is + enabled, the feature is supported, and the guest is 64-bit. - When kvm-steal-time is enabled a 64-bit guest - can account for time its CPUs were not running - due to the host not scheduling the corresponding - VCPU threads. The accounting statistics may - influence the guest scheduler behavior and/or be - exposed to the guest userspace. + When kvm-steal-time is enabled a 64-bit guest can account for time + its CPUs were not running due to the host not scheduling the + corresponding VCPU threads. The accounting statistics may influence + the guest scheduler behavior and/or be exposed to the guest + userspace. TCG VCPU Features ================= @@ -217,16 +210,15 @@ TCG VCPU Features TCG VCPU features are CPU features that are specific to TCG. Below is the list of TCG VCPU features and their descriptions. - pauth-impdef When ``FEAT_Pauth`` is enabled, either the - *impdef* (Implementation Defined) algorithm - is enabled or the *architected* QARMA algorithm - is enabled. By default the impdef algorithm - is disabled, and QARMA is enabled. +``pauth-impdef`` + When ``FEAT_Pauth`` is enabled, either the *impdef* (Implementation + Defined) algorithm is enabled or the *architected* QARMA algorithm + is enabled. By default the impdef algorithm is disabled, and QARMA + is enabled. - The architected QARMA algorithm has good - cryptographic properties, but can be quite slow - to emulate. The impdef algorithm used by QEMU - is non-cryptographic but significantly faster. + The architected QARMA algorithm has good cryptographic properties, + but can be quite slow to emulate. The impdef algorithm used by QEMU + is non-cryptographic but significantly faster. SVE CPU Properties ================== From 5787d17a42f7af4bd117e5d6bfa54b1fdf93c255 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 17 Mar 2023 16:50:57 +0000 Subject: [PATCH 8/8] target/arm: Don't advertise aarch64-pauth.xml to gdb Unfortunately a bug in older versions of gdb means that they will crash if QEMU sends them the aarch64-pauth.xml. This bug is fixed in gdb commit 1ba3a3222039eb25, and there are plans to backport that to affected gdb release branches, but since the bug affects gdb 9 through 12 it is very widely deployed (for instance by distros). It is not currently clear what the best way to deal with this is; it has been proposed to define a new XML feature name that old gdb will ignore but newer gdb can handle. Since QEMU's 8.0 release is imminent and at least one of our CI runners is now falling over this, disable the pauth XML for the moment. We can follow up with a more considered fix either in time for 8.0 or else for the 8.1 release. Signed-off-by: Peter Maydell --- target/arm/gdbstub.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c index 78105b8078..3bd86cee97 100644 --- a/target/arm/gdbstub.c +++ b/target/arm/gdbstub.c @@ -520,11 +520,18 @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu) aarch64_gdb_set_fpu_reg, 34, "aarch64-fpu.xml", 0); } +#if 0 + /* + * GDB versions 9 through 12 have a bug which means they will + * crash if they see this XML from QEMU; disable it for the 8.0 + * release, pending a better solution. + */ if (isar_feature_aa64_pauth(&cpu->isar)) { gdb_register_coprocessor(cs, aarch64_gdb_get_pauth_reg, aarch64_gdb_set_pauth_reg, 4, "aarch64-pauth.xml", 0); } +#endif #endif } else { if (arm_feature(env, ARM_FEATURE_NEON)) {