qemu-system-m68k -M q800 -bios /dev/null segfaults
This command line:
qemu-system-m68k -M q800 -bios /dev/null
crashes with a segfault in q800_init(). Backtrace from gdb:
Thread 1 "qemu-system-m68" received signal SIGSEGV, Segmentation fault.
q800_init (machine=<optimised out>) at ../../hw/m68k/q800.c:681
681 stl_phys(cs->as, 0, ldl_p(ptr)); /* reset initial SP */
(gdb) bt
#0 q800_init (machine=<optimised out>) at ../../hw/m68k/q800.c:681
#1 0x000055555624e62a in machine_run_board_init (machine=<optimised out>)
at ../../hw/core/machine.c:1181
#2 0x000055555642ee68 in qemu_init_board () at ../../softmmu/vl.c:2652
#3 qmp_x_exit_preconfig (errp=<optimised out>) at ../../softmmu/vl.c:2740
#4 0x0000555556433f24 in qemu_init (argc=<optimised out>, argv=<optimised out>, envp=<optimised out>)
at ../../softmmu/vl.c:3775
#5 0x000055555601ea76 in main (argc=1482693856, argv=0x100000, envp=0x0) at ../../softmmu/main.c:49
This happens because the code doesn't check that rom_ptr() returned a non-NULL pointer (which will happen if the BIOS image passed by the user is zero bytes). You can provoke the same segfault by creating a zero byte file and passing it to -bios.
More generally, there is a length check:
if (bios_size < 0 || bios_size > MACROM_SIZE)
but this is too loose -- the rom_ptr() call below requires that the BIOS blob is at least MACROM_SIZE bytes. We could make the condition test "bios_size != MACROM_SIZE", or change the rom_ptr() code.