RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 757132 - QEMU console underline causes read beyond static array, draws crap pixels
Summary: QEMU console underline causes read beyond static array, draws crap pixels
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Markus Armbruster
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-25 14:39 UTC by Markus Armbruster
Modified: 2013-01-10 00:34 UTC (History)
10 users (show)

Fixed In Version: qemu-kvm-0.12.1.2-2.211.el6
Doc Type: Bug Fix
Doc Text:
Cause: Implementation of VGA underline attribute can read beyond an array. Consequence: Crap pixels in underlined characters might be visible with a guest running a non-framebuffer text console. Never actually reproduced. Fix: Don't read beyond the array. Result: Static analysis is happy. I doubt this is worth a tech note, but I'm leaving that to the people in charge of them.
Clone Of:
Environment:
Last Closed: 2012-06-20 11:37:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
insane console in early boot (11.24 KB, image/png)
2012-02-03 14:50 UTC, Chao Yang 		no flags Details
the snapshot of serial console (11.10 KB, image/png)
2012-02-10 12:03 UTC, Chao Yang 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0746 0 normal SHIPPED_LIVE qemu-kvm bug fix and enhancement update 2012-06-19 19:31:48 UTC

Description Markus Armbruster 2011-11-25 14:39:21 UTC 
Description of problem:
We read beyond dmask16[] in 8 bpp modes, and beyond dmask4[] in 15 and 16 bpp modes.  We draw crap pixels in all modes.

In theory, reading beyond an array is undefined behaviour.  In practice, it just reads crap bits.  Let's fix it anyway.

How reproducible:
Not reproduced.  Crap pixels in underlined characters might be visible with a guest running a non-framebuffer text console.  I doubt verifying that is worth the trouble.

Additional info:
Fixed upstream in commit 439229c7.
Comment 8 Chao Yang 2012-02-03 14:50:02 UTC 
Created attachment 559301 [details]
insane console in early boot
Comment 9 Markus Armbruster 2012-02-09 16:42:39 UTC 
The boot failure in comment#8 is unrelated.
Comment 10 Markus Armbruster 2012-02-09 17:02:53 UTC 
I was confused.  The patched code affects QEMU's virtual console, *not* the guest's text console.  Here's a way to test the QEMU console.

1. Configure a serial device connected to a "vc" character device:

    -chardev vc,id=serial0 -device isa-serial,chardev=serial0

   Make sure it's the only serial device configured, or else you may have to echo to another character device file in step 4.

2. Start vncviewer.  Ctrl-Alt-<number> switches between virtual consoles.  Find the one that shows "serial0 console" in the top left corner.  That's the one connected to our serial device.

3. Boot the guest.

4. You should be able to login on one of the virtual consoles now. Which one doesn't matter.  Run "echo -e 'eins\e[4mzwei\e[mdrei' >/dev/ttyS0".

This should draw "einszweidrei" with "zwei" underlined on the virtual console connected to our serial device.

Bug is reproduced when you can see crap pixels near the "zwei" with the unpatched qemu-kvm.  It may not be reproducible.

Fix is verified when there aren't any crap pixels near "zwei" with the patched qemu-kvm.
Comment 11 Chao Yang 2012-02-10 12:03:18 UTC 
Created attachment 560884 [details]
the snapshot of serial console

Hi Markus,
 I really appreciate it. But seems still fails to reproduce, please see the snapshot.
Comment 12 Chao Yang 2012-02-10 12:17:43 UTC 
Tried the steps mentioned in Comment #10, with qemu-kvm-0.12.1.2-2.225.el6.x86_64.rpm, I don't see any crap pixels near the "zwei" on the virtual console after "echo -e 'eins\e[4mzwei\e[mdrei' >/dev/ttyS0"

CLI:
# /usr/libexec/qemu-kvm  -M rhel6.2.0 -enable-kvm -m 2048 -smp 2,sockets=1,cores=2,threads=1 -name rhel6.2 -uuid 9a2fcf21-04e9-3737-6c3c-85011ce1a90c -rtc base=utc -boot menu=on -drive file=/home/rhel6.2.qcow2,if=none,id=drive-virtio-disk0,cache=none,werror=stop,rerror=stop,format=qcow2 -device virtio-blk-pci,drive=drive-virtio-disk0,id=virtio-disk0 -vga qxl -vnc :1 -monitor stdio -nodefaults -chardev vc,id=serial -device isa-serial,chardev=serial



Markus,
 Could you tell if the results are good enough to verify this bug? Thanks!
Comment 13 Markus Armbruster 2012-02-10 13:01:23 UTC 
The bug has always been theoretical.  We decided to fix it because the patch is simple and low risk.  Your testing indicates that the patch is safe.  That's good enough for me.  Thanks!
Comment 15 Michal Novotny 2012-05-04 09:12:56 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Invalid font data.

Consequence:
Crap pixels are being drawn to VGA console.

Fix:
Right data are now being set.

Result:
VGA console doesn't show any crap pixels.
Comment 16 Markus Armbruster 2012-05-04 10:06:13 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,11 +1,11 @@
 Cause:
-Invalid font data.
+Implementation of VGA underline attribute can read beyond an array.
 
 Consequence:
-Crap pixels are being drawn to VGA console.
+Crap pixels in underlined characters might be visible with a guest running a non-framebuffer text console.  Never actually reproduced.
 
 Fix:
-Right data are now being set.
+Don't read beyond the array.
 
 Result:
-VGA console doesn't show any crap pixels.+Static analysis is happy.  I doubt this is worth a tech note, but I'm leaving that to the people in charge of them.
Comment 17 errata-xmlrpc 2012-06-20 11:37:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0746.html
Note You need to log in before you can comment on or make changes to this bug.