[Bug 1886318] Re: Qemu after v5.0.0 breaks macos guests

[Simon John]

Thanks Mark, what an interesting exercise that was - and sorry, didn't
know 5.1 was due.

So the git bisect revealed this:

$ git bisect good
5d971f9e672507210e77d020d89e0e89165c8fc9 is the first bad commit
commit 5d971f9e672507210e77d020d89e0e89165c8fc9
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Wed Jun 10 09:47:49 2020 -0400

    memory: Revert "memory: accept mismatching sizes in 
memory_region_access_valid"
    
    Memory API documentation documents valid .min_access_size and 
.max_access_size
    fields and explains that any access outside these boundaries is blocked.
    
    This is what devices seem to assume.
    
    However this is not what the implementation does: it simply
    ignores the boundaries unless there's an "accepts" callback.
    
    Naturally, this breaks a bunch of devices.
    
    Revert to the documented behaviour.
    
    Devices that want to allow any access can just drop the valid field,
    or add the impl field to have accesses converted to appropriate
    length.
    
    Cc: qemu-stable@nongnu.org
    Reviewed-by: Richard Henderson <rth@twiddle.net>
    Fixes: CVE-2020-13754
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
    Fixes: a014ed07bd5a ("memory: accept mismatching sizes in 
memory_region_access_valid")
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Message-Id: <20200610134731.1514409-1-mst@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 memory.c | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)


** Bug watch added: Red Hat Bugzilla #1842363
   https://bugzilla.redhat.com/show_bug.cgi?id=1842363

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13754

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886318

Title:
  Qemu after v5.0.0 breaks macos guests

Status in QEMU:
  New

Bug description:
  The Debian Sid 5.0-6 qemu-kvm package can no longer get further than
  the Clover bootloader whereas 5.0-6 and earlier worked fine.

  So I built qemu master from github and it has the same problem,
  whereas git tag v5.0.0 (or 4.2.1) does not, so something between
  v5.0.0 release and the last few days has caused the problem.

  Here's my qemu script, pretty standard macOS-Simple-KVM setup on a
  Xeon host:

  qemu-system-x86_64 \
      -enable-kvm \
      -m 4G \
      -machine q35,accel=kvm \
      -smp 4,sockets=1,cores=2,threads=2 \
      -cpu 
  
Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+xsavec,+xgetbv1,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc
 
  \
      -device 
  
isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
 
  \
      -smbios type=2 \
      -drive if=pflash,format=raw,readonly,file="/tmp/OVMF_CODE.fd" \
      -drive if=pflash,format=raw,file="/tmp/macos_catalina_VARS.fd" \
      -vga qxl \
      -device ich9-ahci,id=sata \
      -drive id=ESP,if=none,format=raw,file=/tmp/ESP.img \
      -device ide-hd,bus=sata.2,drive=ESP \
      -drive id=InstallMedia,format=raw,if=none,file=/tmp/BaseSystem.img \
      -device ide-hd,bus=sata.3,drive=InstallMedia \
      -drive id=SystemDisk,if=none,format=raw,file=/tmp/macos_catalina.img \
      -device ide-hd,bus=sata.4,drive=SystemDisk \
      -usb -device usb-kbd -device usb-mouse

  Perhaps something has changed in Penryn support recently, as that's
  required for macos?

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247

  Also on a related note, kernel 5.6/5.7 (on Debian) hard crashes the
  host when I try GPU passthrough on macos, whereas Ubuntu20/Win10 work
  fine - as does 5.5 kernel.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961676

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886318/+subscriptions