From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Andreas Färber" <afaerber@suse.de>
Cc: Bruce Rogers <brogers@suse.com>,
Sebastian Krahmer <krahmer@suse.com>,
qemu-stable@nongnu.org, qemu-devel@nongnu.org,
David Marchand <david.marchand@6wind.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Cam Macdonell <cam@cs.ualberta.ca>
Subject: Re: [Qemu-devel] [PATCH v3 1/4] ivshmem: Check ivshmem_read() size argument
Date: Mon, 22 Sep 2014 14:21:12 +0300 [thread overview]
Message-ID: <20140922112112.GD14882@redhat.com> (raw)
In-Reply-To: <1410799208-3250-2-git-send-email-afaerber@suse.de>
On Mon, Sep 15, 2014 at 06:40:05PM +0200, Andreas Färber wrote:
> From: Stefan Hajnoczi <stefanha@redhat.com>
>
> The third argument to the fd_read() callback implemented by
> ivshmem_read() is the number of bytes, not a flags field. Fix this and
> check we received enough bytes before accessing the buffer pointer.
>
> Cc: Cam Macdonell <cam@cs.ualberta.ca>
> Reported-by: Sebastian Krahmer <krahmer@suse.de>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> [AF: Handle partial reads via FIFO]
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> hw/misc/ivshmem.c | 30 ++++++++++++++++++++++++++++--
> 1 file changed, 28 insertions(+), 2 deletions(-)
>
> diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
> index bd9d718..caeee1e 100644
> --- a/hw/misc/ivshmem.c
> +++ b/hw/misc/ivshmem.c
> @@ -24,6 +24,7 @@
> #include "migration/migration.h"
> #include "qapi/qmp/qerror.h"
> #include "qemu/event_notifier.h"
> +#include "qemu/fifo8.h"
> #include "sysemu/char.h"
>
> #include <sys/mman.h>
> @@ -73,6 +74,7 @@ typedef struct IVShmemState {
>
> CharDriverState **eventfd_chr;
> CharDriverState *server_chr;
> + Fifo8 incoming_fifo;
> MemoryRegion ivshmem_mmio;
>
> /* We might need to register the BAR before we actually have the memory.
> @@ -424,14 +426,35 @@ static void increase_dynamic_storage(IVShmemState *s, int new_min_size) {
> }
> }
>
> -static void ivshmem_read(void *opaque, const uint8_t * buf, int flags)
> +static void ivshmem_read(void *opaque, const uint8_t *buf, int size)
> {
> IVShmemState *s = opaque;
> int incoming_fd, tmp_fd;
> int guest_max_eventfd;
> long incoming_posn;
>
> - memcpy(&incoming_posn, buf, sizeof(long));
> + if (fifo8_is_empty(&s->incoming_fifo) && size == sizeof(incoming_posn)) {
> + memcpy(&incoming_posn, buf, size);
> + } else {
> + const uint8_t *p;
> + uint32_t num;
> +
> + IVSHMEM_DPRINTF("short read of %d bytes\n", size);
> + num = MAX(size, sizeof(long) - fifo8_num_used(&s->incoming_fifo));
> + fifo8_push_all(&s->incoming_fifo, buf, num);
> + if (fifo8_num_used(&s->incoming_fifo) < sizeof(incoming_posn)) {
> + return;
> + }
> + size -= num;
> + buf += num;
> + p = fifo8_pop_buf(&s->incoming_fifo, sizeof(incoming_posn), &num);
> + g_assert(num == sizeof(incoming_posn));
> + memcpy(&incoming_posn, p, sizeof(incoming_posn));
> + if (size > 0) {
> + fifo8_push_all(&s->incoming_fifo, buf, size);
> + }
> + }
> +
> /* pick off s->server_chr->msgfd and store it, posn should accompany msg */
> tmp_fd = qemu_chr_fe_get_msgfd(s->server_chr);
> IVSHMEM_DPRINTF("posn is %ld, fd is %d\n", incoming_posn, tmp_fd);
> @@ -663,6 +686,8 @@ static int pci_ivshmem_init(PCIDevice *dev)
> s->ivshmem_size = ivshmem_get_size(s);
> }
>
> + fifo8_create(&s->incoming_fifo, sizeof(long));
> +
> register_savevm(DEVICE(dev), "ivshmem", 0, 0, ivshmem_save, ivshmem_load,
> dev);
>
> @@ -796,6 +821,7 @@ static void pci_ivshmem_uninit(PCIDevice *dev)
> memory_region_del_subregion(&s->bar, &s->ivshmem);
> vmstate_unregister_ram(&s->ivshmem, DEVICE(dev));
> unregister_savevm(DEVICE(dev), "ivshmem", s);
> + fifo8_destroy(&s->incoming_fifo);
> }
>
> static Property ivshmem_properties[] = {
> --
> 1.8.4.5
next prev parent reply other threads:[~2014-09-22 11:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-15 16:40 [Qemu-devel] [PATCH v3 0/4] ivshmem security fixes Andreas Färber
2014-09-15 16:40 ` [Qemu-devel] [PATCH v3 1/4] ivshmem: Check ivshmem_read() size argument Andreas Färber
2014-09-22 11:21 ` Michael S. Tsirkin [this message]
2014-09-15 16:40 ` [Qemu-devel] [PATCH v3 2/4] ivshmem: validate incoming_posn value from server Andreas Färber
2014-09-22 11:21 ` Michael S. Tsirkin
2014-09-15 16:40 ` [Qemu-devel] [PATCH v3 3/4] ivshmem: Fix potential OOB r/w access Andreas Färber
2014-09-22 11:21 ` Michael S. Tsirkin
2014-09-15 16:40 ` [Qemu-devel] [PATCH v3 4/4] ivshmem: Fix fd leak on error Andreas Färber
2014-09-22 11:22 ` Michael S. Tsirkin
2014-10-31 16:03 ` [Qemu-devel] [PATCH v3 0/4] ivshmem security fixes Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140922112112.GD14882@redhat.com \
--to=mst@redhat.com \
--cc=afaerber@suse.de \
--cc=brogers@suse.com \
--cc=cam@cs.ualberta.ca \
--cc=david.marchand@6wind.com \
--cc=krahmer@suse.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.