Skip to content
This repository has been archived by the owner on Apr 14, 2023. It is now read-only.

Cannot mount root from NAND after successful restore #21

Closed
asdfugil opened this issue Mar 4, 2022 · 10 comments
Closed

Cannot mount root from NAND after successful restore #21

asdfugil opened this issue Mar 4, 2022 · 10 comments

Comments

@asdfugil
Copy link

asdfugil commented Mar 4, 2022
edited
Loading

After a successful restore, rootfs cannot be mounted for some reason.
The rootfs is already modified, and have its snapshot renamed to orig-fs

rootfs binaries (not the one in the wiki as I wanted a newer bash)
bash.plist and launchd.plist from setup-ios
Although I do not these details mattered when the rootfs is not even mounted.

A filesystem check on the APFS container reported no problem, and it can be mounted on macOS.

This appears to be the log related the the problem:

Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(2) failed

Host is Debian bullseye
Full log:

Loading iOS 14.0...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a4cd4f0
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007b5d718
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Routine)
kpf_amfi_callback: start @ 0xfffffff0097edcb8
kpf_amfi_callback: Found lookup_in_trust_cache_module
KPF: Found AppleKeyStoreUserClient::handleUserClientCommandGated
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000800000000
entry: 0x00000008041204e8
boot_mode: 0
auto-boot=true
cmdline: [debug=0x14e kextlog=0xffff rd=disk0s1 serial=3 -v wdt=-1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 3.0.0: Wed Aug 12 22:19:21 PDT 2020; root:AppleImage4-106.0.4.0.1~129/AppleImage4/RELEASE_ARM64E
AMFI is running in RESEARCH mode!
AUC:[0xffffffe19b677dd0]::init(0xffffffe19b5cc1b8)

AUC:[0xffffffe19b677dd0]::probe(0xffffffe19b445fe0, 0xffffffe80a31bdac)

AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AppleARMBootPerf: Error: profile region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::105:CoreAnalyticsHub start
AppleInterruptController::start: Num Shared Timestamps == 0
AppleSSE::start called
AppleSSE::start returning, result = 1
AUC:[0xffffffe19b677dd0]::start(0xffffffe19b445fe0)

AppleSEPKeyStore:321:0: starting (BUILT: Aug 12 2020 22:51:30)
AppleSEPKeyStore:545:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x<ptr>/0x0x4000 / 0x<ptr>/0x0x4000
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
virtual bool AppleARMLightEmUp::start(IOService *): starting...
000001.935910 wlan0.A[1] start@968:Default options property found with value 4
Creating an object of AppleBCMWLANPlatformFunctionEmbeddedAMFM class
000001.948877 wlan0.A[2] start@1401: Raised adjustBusy(+1), getBusyState() -> 1
000001.949319 wlan0.A[3] start@1403:Setting up notifier for CoreAnalyticsHub
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(ANS2): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(ANS2): Boot args override: wdt = -1
RTBuddy(ANS2): Resuming...

AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(SMC): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(SMC): Resuming...

Starting AppleSMC kext(<ptr>) - (Aug 12 2020@22:51:44)
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=0 newState=1
virtual IOService *AppleANS2NVMeController::probe(IOService *, SInt32 *)::194:Found (ANS2) provider, returning score 100000
virtual bool AppleANS2NVMeController::start(IOService *)::394:Found the ANS2Endpoint1
bool AppleEmbeddedNVMeController::SetNamespacesStruct()::186:Obtained 7 namespaces from DT
virtual IOFilterInterruptEventSource *AppleANS2NVMeController::CreateDeviceInterrupt(IOInterruptEventSource::Action, IOFilterInterruptEventSource::Filter, IOService *)::2719:ANS2 NVMe interrupt index - 0x4
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleS5L8960XUSBPhy::start: hsic disabled
Identified Serial Port uart7 at 0x23521c000(<ptr>)
Identified Serial Port uart0 at 0x235200000(<ptr>)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(SIO): start(<ptr>) - (Aug 12 2020@22:50:37)
RTBuddy(SIO): Boot args override: wdt = -1
000002.252741 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
000002.282571 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
000002.287644 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::gated_handleUSBCableConnect: cable connected, but don't have device configuration yet
LPM: Log data is NOT valid. 0x0 0x0
AppleDialogSPMIPMU::start: Primary PMU detected
/Library/Caches/com.apple.xbs/Sources/AppleSMC/AppleSMC-589.0.5/AppleSMCEmbeddedCharger/AppleSMCCharger.cpp:408 _setPowerStateGated() ENTER powerStateOrdinal=1, _powerState=1
AppleARMRTC started!#####
AppleDialogSPMIPMURTC started!******
Failed to read info-leg_scrpadAppleDialogSPMIPMURTC tick read!&&&&&&&
AppleDialogSPMIPMURTC ending!%%%
AppleARMRTC registering service!@@@@@@
AppleARMRTC service registered!$$$$$
AppleARMRTC publishing service!^^^^^^
apfs_module_start:2411: load: com.apple.filesystems.apfs, v1677.0.5, apfs-1677.0.5, 2020/08/12
com.apple.AppleFSCompressionTypeZlib kmod start
apfs_sysctl_register:1253: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
Load request for com.apple.nke.pptp failed: -603946998
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOService</string><key>BSD Name</key><string ID="2">disk0s1</string></dict>
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=0 entrysize=64
virtual IOReturn IONVMeController::CreateSubmissionQueue(uint16_t, uint8_t)::2886:SQ index=1 entrysize=128
ANS2: MMIO write to unknown vendor register, offset=0x1210 value=0x240024, returning
ANS2: MMIO write to unknown vendor register, offset=0x24004 value=0x1000, returning
ANS2: MMIO write to unknown vendor register, offset=0x24008 value=0x0, returning
ANS2: MMIO write to unknown vendor register, offset=0x24118 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24108 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24420 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24414 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x2441c value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24418 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24144 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24524 value=0x10002, returning
ANS2: MMIO write to unknown vendor register, offset=0x24508 value=0x102, returning
ANS2: MMIO write to unknown vendor register, offset=0x24504 value=0x10002, returning
virtual void AppleANS2NVMeController::SetModeselRegister(uint32_t)::1186:Setting modesel to 0
ANS2: MMIO write to unknown vendor register, offset=0x1304 value=0x0, returning
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1964:nvme: Vendor ID     : 0x1b36
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1965:nvme: Model Number  : QEMU NVMe Ctrl                          
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1966:nvme: Serial Number : QEMUT8030ANS        
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::1967:nvme: Firmware Rev  : 1.0     
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2000:nvme: S3E A0 Invalid 1x slc 1D 0 plane 128GB NAND
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2009:ECCVersion   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2010:FTL Rev      : 0.0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2011:DM_Version   : 0
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2012:=======================
bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2019:Found 16 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[2] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[3] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[4] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[6] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[7] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[8] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[9] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[10] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[11] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[12] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[13] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[14] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[15] as nstype[0]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2435:Identified nsid[16] as nstype[0]
bool AppleEmbeddedNVMeController::SetSwapWriteLimit(uint32_t)::2192: Swap limit set to 2147483648bytes, 2GB
uint32_t AppleEmbeddedNVMeNVRAM::GetNVRAMSize()::745:NVRAM size is 8192 bytes
virtual bool AppleEmbeddedNVMeController::AllocateNodes(bool)::1578:allocateAll 1
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
virtual bool AppleEmbeddedNVMeController::StartController()::1547:Setting NAND status to Ready
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(2) failed
Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOService</string><key>BSD Name</key><string ID="2">disk0s1</string></dict>
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp <ptr> (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(3) failed

Nick Chan
@TrungNguyen1909
Copy link
Owner

I will look into this. But I don't remember seeing this issue so something might have broken along the way.

@iarchiveml
Copy link

This is what happens after the mount failiure

Waiting on IOProviderClassIOMediaIOPropertyMatchPartition ID0x1
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(12) failed
Waiting on IOProviderClassIOMediaIOPropertyMatchPartition ID0x1
Got boot device = IOService:/AppleARMPE/arm-io@10F00000/AppleT803xIO/ans@77400000/AppleASCWrapV2/iop-ans-nub/RTBuddyV2/RTBuddyService/AppleANS2NVMeController/NS_01@1/IOBlockStorageDriver/QEMU NVMe Ctrl Media/IOFDiskPartitionScheme/Untitled 1@1
BSD root: disk0s1, major 1, minor 1
apfs_vfsop_mountroot:2188: apfs: mountroot called!
dev_init:297: disk0s1 device accelerated crypto: 3 (compiled @ Aug 12 2020 22:19:57)
dev_init:300: disk0s1 device_handle block size 4096 block count 8388607 features 22 internal solidstate
apfs_vfsop_mount:1745: unable to root from devvp (root_device): 79
apfs_vfsop_mountroot:2192: apfs: mountroot failed, error: 79
hfs_ValidateHFSPlusVolumeHeader: unknown Volume Signature : 0
hfs_mount: hfs_mountfs returned error=22 for device unknown-dev
mount(13) failed
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 0 caller 0xfffffff00838c7cc): cannot find IOAESAccelerator
Debugger message: panic
Memory ID: 0x0
OS release type: Not set yet
OS version: Not set yet
Kernel version: Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030
Kernel UUID: FDDAF386-4EA2-35FC-8235-1F167AEFD6F3
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base: 0xfffffff007004000
mach_absolute_time: 0x57798b6d
Epoch Time: sec usec
Boot : 0x622311c8 0x0001c4c1
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x62231204 0x00042fad
Panicked task 0xffffffe19b972bc0: 1731 pages, 91 threads: pid 0: kernel_task
Panicked thread: 0xffffffe19bbfd170, backtrace: 0xffffffe80dc43680, tid: 125
lr: 0xfffffff007a2af48 fp: 0xffffffe80dc436c0
lr: 0xfffffff007a2ad48 fp: 0xffffffe80dc43730
lr: 0xfffffff007b64940 fp: 0xffffffe80dc43750
lr: 0xfffffff007b56e1c fp: 0xffffffe80dc43810
lr: 0xfffffff00811c5f4 fp: 0xffffffe80dc43820
lr: 0xfffffff007a2aa30 fp: 0xffffffe80dc43ba0
lr: 0xfffffff007a2aa30 fp: 0xffffffe80dc43c00
lr: 0xfffffff0097db97c fp: 0xffffffe80dc43c20
lr: 0xfffffff00838c7cc fp: 0xffffffe80dc43c30
lr: 0xfffffff008385d78 fp: 0xffffffe80dc43c70
lr: 0xfffffff008012734 fp: 0xffffffe80dc43d20
lr: 0xfffffff0080121d0 fp: 0xffffffe80dc43e00
lr: 0xfffffff0080104a0 fp: 0xffffffe80dc43e80
lr: 0xfffffff008016194 fp: 0xffffffe80dc43f00
lr: 0xfffffff00812495c fp: 0x0000000000000000
** Stackshot Succeeded ** Bytes Traced 9161 (Uncompressed 30240) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)
wdt_update: wdog reset chip

@TrungNguyen1909
Copy link
Owner

This looks like a block size issue. I got through by removing block size settings from the commands. However, ::unmap() will constantly fails because block size should be 4096 for iOS. QEMU defaults to 512 so I think this might be a QEMU issue.

@asdfugil
Copy link
Author

asdfugil commented Mar 9, 2022
edited
Loading

After removing block size settings, launchd starts, but:

Code: /System/Library/xpc/launchd.plist Sig: /System/Library/xpc/launchd.plist.sig
Tue Mar  8 18:35:46 2022 localhost com.apple.xpc.launchd[1] <Notice>: Doing boot task: launchd_cache_loader
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Process 25 is checking if a cdhash is in the trust cache
static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Returning IOReturn 0x0 to process 25
cdhash: {length = 20, bytes = 0x1f926e82fb7151558f895e958a422ee5c570b6bc} is trusted
Attached signature to file, checking ...
Trying to send bytes to launchd: 2563 16384
Sending validated cache to launchd
Tue Mar  8 18:24:51 2022 localhost com.apple.xpc.launchd[1] <Error>: launchd_cache_loader: exited due to SIGKILL
Tue Mar  8 18:24:51 2022 localhost com.apple.xpc.launchd[1] <Emergency>: Boot task failed: launchd_cache_loader
Tue Mar  8 18:24:51 2022 localhost com.apple.xpc.launchd[1] <Emergency>: Panicking in 3 seconds.
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
panic(cpu 0 caller 0xfffffff008128668): "userspace panic: boot task failure: launchd_cache_loader - exited due to SIGKILL"
Debugger message: panic
Memory ID: 0x0
OS release type: Beta
OS version: 18A5351d
Kernel version: Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030
Kernel UUID: FDDAF386-4EA2-35FC-8235-1F167AEFD6F3
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base:  0xfffffff007004000
mach_absolute_time: 0x1bbe8ae3
Epoch Time:        sec       usec
  Boot    : 0x62280fe5 0x000edf11
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x62280ff6 0x000b713f

Panicked task 0xffffffe19b625f40: 125 pages, 4 threads: pid 1: launchd
Panicked thread: 0xffffffe19ba99740, backtrace: 0xffffffe80a623540, tid: 358
                  lr: 0xfffffff007a2af48  fp: 0xffffffe80a623580
                  lr: 0xfffffff007a2ad48  fp: 0xffffffe80a6235f0
                  lr: 0xfffffff007b64940  fp: 0xffffffe80a623610
                  lr: 0xfffffff007b56e1c  fp: 0xffffffe80a6236d0
                  lr: 0xfffffff00811c5f4  fp: 0xffffffe80a6236e0
                  lr: 0xfffffff007a2aa30  fp: 0xffffffe80a623a60
                  lr: 0xfffffff007a2aa30  fp: 0xffffffe80a623ac0
                  lr: 0xfffffff0097db97c  fp: 0xffffffe80a623ae0
                  lr: 0xfffffff008128668  fp: 0xffffffe80a623b20
                  lr: 0xfffffff007e7fd58  fp: 0xffffffe80a623c40
                  lr: 0xfffffff007e9de6c  fp: 0xffffffe80a623da0
                  lr: 0xfffffff007f7fc80  fp: 0xffffffe80a623e30
                  lr: 0xfffffff007b56c6c  fp: 0xffffffe80a623ef0
                  lr: 0xfffffff00811c5f4  fp: 0xffffffe80a623f00


** Stackshot Succeeded ** Bytes Traced 11571 (Uncompressed 36336) **
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleANS2NVMeController
IOPlatformPanicAction -> AppleNubSynopsysOTG3Device
IOPlatformPanicAction -> AppleS5L8960XWatchDogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleSMC
IOPlatformPanicAction -> AppleT8030PMGR
wdog panic (attempt 1)
wdt_update: wdog reset chip

Since launchd.plist is replaced with the one in setup-ios, it may be related.
Perhaps we need more patching?

@TrungNguyen1909
Copy link
Owner

Try launchd_unsecure_cache=1 boot-args for now.

@asdfugil
Copy link
Author

asdfugil commented Mar 9, 2022

good

Cache sent to launchd successfully
Tue Mar  8 19:46:39 2022 localhost com.apple.xpc.launchd[1] <Notice>: launchd UUID: 4C2464F5-9F87-31DE-B252-584E3391D4FA
Tue Mar  8 19:46:39 2022 localhost com.apple.xpc.launchd[1] <Notice>: Early boot complete. Continuing system boot.
bash-5.1# 
bash-5.1# uname -a
Darwin localhost 20.0.0 Darwin Kernel Version 20.0.0: Wed Aug 12 22:56:55 PDT 2020; root:xnu-7195.0.33~64/RELEASE_ARM64_T8030 iPhone12,1 arm64 N104AP Darwin

@TrungNguyen1909
Copy link
Owner

This is caused by a bad merge. Imma push a fix soon. It would require restore to be run again.

@TrungNguyen1909
Copy link
Owner

Fixed in fe3d463.

Please restore again if that is a concern. You will still need the block size args for it to function somewhat properly

@asdfugil
Copy link
Author

asdfugil commented Mar 9, 2022
edited
Loading

it does not compile

[912/2809] Compiling C object libcommon.fa.p/hw_block_apple_ans.c.o
FAILED: libcommon.fa.p/hw_block_apple_ans.c.o 
clang -Ilibcommon.fa.p -I../slirp -I../slirp/src -I/usr/include/pixman-1 -I/usr/include/libpng16 -I/usr/include/p11-kit-1 -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/gio-unix-2.0 -I/usr/include/libusb-1.0 -I/usr/include/gtk-3.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/at-spi-2.0 -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/fribidi -I/usr/include/harfbuzz -I/usr/include/atk-1.0 -I/usr/include/uuid -I/usr/include/freetype2 -I/usr/include/gdk-pixbuf-2.0 -fcolor-diagnostics -Wall -Winvalid-pch -std=gnu11 -O2 -g -isystem /home/nick/qemu-t8030/linux-headers -isystem linux-headers -iquote . -iquote /home/nick/qemu-t8030 -iquote /home/nick/qemu-t8030/include -iquote /home/nick/qemu-t8030/disas/libvixl -iquote /home/nick/qemu-t8030/tcg/i386 -pthread -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wno-initializer-overrides -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-string-plus-int -Wno-typedef-redefinition -Wno-tautological-type-limit-compare -Wno-psabi -fstack-protector-strong -O3 -fPIE -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR -D_REENTRANT -MD -MQ libcommon.fa.p/hw_block_apple_ans.c.o -MF libcommon.fa.p/hw_block_apple_ans.c.o.d -o libcommon.fa.p/hw_block_apple_ans.c.o -c ../hw/block/apple_ans.c
In file included from ../hw/block/apple_ans.c:13:
/home/nick/qemu-t8030/hw/nvme/nvme.h:349:10: error: use of undeclared identifier 'NVME_CMD_REPRIORITIZE'
    case NVME_CMD_REPRIORITIZE:     return "NVME_CMD_REPRIORITIZE";
         ^
../hw/block/apple_ans.c:141:9: warning: unused variable 'i' [-Wunused-variable]
    int i;
        ^
1 warning and 1 error generated.
[913/2809] Compiling C object libcommon.fa.p/hw_block_fdc-isa.c.o
[914/2809] Compiling C object libcommon.fa.p/hw_block_fdc.c.o
[915/2809] Compiling C object libcommon.fa.p/hw_block_nand.c.o
ninja: build stopped: subcommand failed.
make: *** [Makefile:156:run-ninja] 錯誤 1

@TrungNguyen1909
Copy link
Owner

@asdfugil, fixed: #30

shannon2893 pushed a commit to shannon2893/qemu-t8030 that referenced this issue Jul 25, 2022
@philmd @huth
tests/qtest/intel-hda-test: Add reproducer for issue #542
19a5452 
Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/542.
Without the previous commit, we get:

  $ make check-qtest-i386
  ...
  Running test tests/qtest/intel-hda-test
  AddressSanitizer:DEADLYSIGNAL
  =================================================================
  ==1580408==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc3d566fe0
      #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:356
      TrungNguyen1909#1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15
      TrungNguyen1909#2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15
      TrungNguyen1909#3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10
      TrungNguyen1909#4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      TrungNguyen1909#9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1
      TrungNguyen1909#10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1
      TrungNguyen1909#11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12
      TrungNguyen1909#12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5
      TrungNguyen1909#13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5
      TrungNguyen1909#14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5
      TrungNguyen1909#15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
      TrungNguyen1909#16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5
      TrungNguyen1909#17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9
      TrungNguyen1909#18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5
      TrungNguyen1909#19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      #27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      TrungNguyen1909#29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1
      TrungNguyen1909#30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1
      TrungNguyen1909#31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12
      TrungNguyen1909#32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5
      TrungNguyen1909#33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5
      TrungNguyen1909#34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5
      TrungNguyen1909#35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
      TrungNguyen1909#36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5
      TrungNguyen1909#37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9
      TrungNguyen1909#38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5
      TrungNguyen1909#39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      ...
  SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in address_space_translate_internal
  ==1580408==ABORTING
  Broken pipe
  Aborted (core dumped)

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20211218160912.1591633-4-philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
shannon2893 pushed a commit to shannon2893/qemu-t8030 that referenced this issue Jul 25, 2022
@philmd @huth
hw/sd/sdhci: Prohibit DMA accesses to devices
799f7f0 
The issue reported by OSS-Fuzz produces the following backtrace:

  ==447470==ERROR: AddressSanitizer: heap-buffer-overflow
  READ of size 1 at 0x61500002a080 thread T0
      #0 0x71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
      TrungNguyen1909#1 0x7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
      TrungNguyen1909#2 0x721b937b in memory_region_read_accessor softmmu/memory.c:440:11
      TrungNguyen1909#3 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#4 0x7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
      TrungNguyen1909#5 0x7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
      TrungNguyen1909#6 0x7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
      TrungNguyen1909#7 0x7212f958 in flatview_read softmmu/physmem.c:2921:12
      TrungNguyen1909#8 0x7212f418 in address_space_read_full softmmu/physmem.c:2934:18
      TrungNguyen1909#9 0x721305a9 in address_space_rw softmmu/physmem.c:2962:16
      TrungNguyen1909#10 0x7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#11 0x7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#12 0x71759684 in dma_memory_read include/sysemu/dma.h:152:12
      TrungNguyen1909#13 0x7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
      TrungNguyen1909#14 0x7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
      TrungNguyen1909#15 0x7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
      TrungNguyen1909#16 0x717629ee in sdhci_write hw/sd/sdhci.c:1212:9
      TrungNguyen1909#17 0x72172513 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#18 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#19 0x72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#20 0x721419ee in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#21 0x721301eb in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#22 0x7212fca8 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#23 0x721d9a53 in qtest_process_command softmmu/qtest.c:727:9

A DMA descriptor is previously filled in RAM. An I/O access to the
device (frames TrungNguyen1909#22 to TrungNguyen1909#16) start the DMA engine (frame TrungNguyen1909#13). The
engine fetch the descriptor and execute the request, which itself
accesses the SDHCI I/O registers (frame TrungNguyen1909#1 and #0), triggering a
re-entrancy issue.

Fix by prohibit transactions from the DMA to devices. The DMA engine
is thus restricted to memories.

Reported-by: OSS-Fuzz (Issue 36391)
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/451
Message-Id: <20211215205656.488940-3-philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
shannon2893 pushed a commit to shannon2893/qemu-t8030 that referenced this issue Jul 25, 2022
@philmd @huth
tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225)
2780116 
Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/451. Without
the previous commit, we get:

  $ make check-qtest-i386
  ...
  Running test qtest-i386/fuzz-sdcard-test
  ==447470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500002a080 at pc 0x564c71766d48 bp 0x7ffc126c62b0 sp 0x7ffc126c62a8
  READ of size 1 at 0x61500002a080 thread T0
      #0 0x564c71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
      TrungNguyen1909#1 0x564c7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
      TrungNguyen1909#2 0x564c721b937b in memory_region_read_accessor softmmu/memory.c:440:11
      TrungNguyen1909#3 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#4 0x564c7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
      TrungNguyen1909#5 0x564c7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
      TrungNguyen1909#6 0x564c7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
      TrungNguyen1909#7 0x564c7212f958 in flatview_read softmmu/physmem.c:2921:12
      TrungNguyen1909#8 0x564c7212f418 in address_space_read_full softmmu/physmem.c:2934:18
      TrungNguyen1909#9 0x564c721305a9 in address_space_rw softmmu/physmem.c:2962:16
      TrungNguyen1909#10 0x564c7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#11 0x564c7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#12 0x564c71759684 in dma_memory_read include/sysemu/dma.h:152:12
      TrungNguyen1909#13 0x564c7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
      TrungNguyen1909#14 0x564c7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
      TrungNguyen1909#15 0x564c7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
      TrungNguyen1909#16 0x564c717629ee in sdhci_write hw/sd/sdhci.c:1212:9
      TrungNguyen1909#17 0x564c72172513 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#18 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#19 0x564c72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#20 0x564c721419ee in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#21 0x564c721301eb in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#22 0x564c7212fca8 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#23 0x564c721d9a53 in qtest_process_command softmmu/qtest.c:727:9

  0x61500002a080 is located 0 bytes to the right of 512-byte region [0x615000029e80,0x61500002a080)
  allocated by thread T0 here:
      #0 0x564c708e1737 in __interceptor_calloc (qemu-system-i386+0x1e6a737)
      TrungNguyen1909#1 0x7ff05567b5e0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5a5e0)
      TrungNguyen1909#2 0x564c71774adb in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5

  SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:474:18 in sdhci_read_dataport
  Shadow bytes around the buggy address:
    0x0c2a7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffd3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffd3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffd3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c2a7fffd410:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffd420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Heap left redzone:       fa
    Freed heap region:       fd
  ==447470==ABORTING
  Broken pipe
  ERROR qtest-i386/fuzz-sdcard-test - too few tests run (expected 3, got 2)

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20211215205656.488940-4-philmd@redhat.com>
[thuth: Replaced "-m 4G" with "-m 512M"]
Signed-off-by: Thomas Huth <thuth@redhat.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TrungNguyen1909 @asdfugil @iarchiveml