Since commit 61f20b9dc5b7 ("spapr_nvram: Pre-initialize the NVRAM to
support the -prom-env parameter"), pseries machines can pre-initialize
the "system" partition in the NVRAM with the data passed to all -prom-env
parameters on the QEMU command line.In this cases it is assumed that all the data fits in 64 KiB, but the user can easily pass more and crash QEMU: $ qemu-system-ppc64 -M pseries $(for ((x=0;x<128;x++)); do \ echo -n " -prom-env "$(for ((y=0;y<1024;y++)); do echo -n x ; done) ; \ done) # this requires ~128 Kib malloc(): corrupted top size Aborted (core dumped) Call chrp_nvram_create_system_partition() first, with its recently added parameter dry_run set to true, in order to know the required size and fail gracefully if it's too small. Reported-by: John Snow <[email protected]> Signed-off-by: Greg Kurz <[email protected]> --- hw/nvram/spapr_nvram.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/hw/nvram/spapr_nvram.c b/hw/nvram/spapr_nvram.c index 992b818d34e7..c29d797ae1f0 100644 --- a/hw/nvram/spapr_nvram.c +++ b/hw/nvram/spapr_nvram.c @@ -145,6 +145,7 @@ static void rtas_nvram_store(PowerPCCPU *cpu, SpaprMachineState *spapr, static void spapr_nvram_realize(SpaprVioDevice *dev, Error **errp) { + ERRP_GUARD(); SpaprNvram *nvram = VIO_SPAPR_NVRAM(dev); int ret; @@ -187,6 +188,20 @@ static void spapr_nvram_realize(SpaprVioDevice *dev, Error **errp) return; } } else if (nb_prom_envs > 0) { + int len = chrp_nvram_create_system_partition(nvram->buf, + MIN_NVRAM_SIZE / 4, + true); + + /* Check the partition is large enough for all the -prom-env data */ + if (nvram->size < len) { + error_setg(errp, "-prom-env data requires %d bytes but spapr-nvram " + "is only %d bytes in size", len, nvram->size); + error_append_hint(errp, + "Try to pass %d less bytes to -prom-env.\n", + len - nvram->size); + return; + } + /* Create a system partition to pass the -prom-env variables */ chrp_nvram_create_system_partition(nvram->buf, MIN_NVRAM_SIZE / 4, false);
