From: Cornelia Huck <cohuck@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>,
Halil Pasic <pasic@linux.ibm.com>
Cc: Thomas Huth <thuth@redhat.com>,
qemu-s390x <qemu-s390x@nongnu.org>,
QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [PULL 2/2] s390x/s390-virtio-ccw: fix loadparm property getter
Date: Tue, 28 Jul 2020 17:14:38 +0200 [thread overview]
Message-ID: <20200728171438.2c3eb4fb.cohuck@redhat.com> (raw)
In-Reply-To: <CAFEAcA_1xECE+ESWoioHFSF_mwDG11NrR2=J3NWx2X+OGg3SZw@mail.gmail.com>
On Tue, 28 Jul 2020 14:52:36 +0100
Peter Maydell <peter.maydell@linaro.org> wrote:
> On Mon, 27 Jul 2020 at 15:05, Cornelia Huck <cohuck@redhat.com> wrote:
> >
> > From: Halil Pasic <pasic@linux.ibm.com>
> >
> > The function machine_get_loadparm() is supposed to produce a C-string,
> > that is a NUL-terminated one, but it does not. ElectricFence can detect
> > this problem if the loadparm machine property is used.
> >
> > Let us make the returned string a NUL-terminated one.
> >
> > Fixes: 7104bae9de ("hw/s390x: provide loadparm property for the machine")
> > Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
> > Reviewed-by: Thomas Huth <thuth@redhat.com>
> > Message-Id: <20200723162717.88485-1-pasic@linux.ibm.com>
> > Signed-off-by: Cornelia Huck <cohuck@redhat.com>
> > ---
> > hw/s390x/s390-virtio-ccw.c | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
> > index 8cc2f25d8a6a..403d30e13bca 100644
> > --- a/hw/s390x/s390-virtio-ccw.c
> > +++ b/hw/s390x/s390-virtio-ccw.c
> > @@ -701,8 +701,12 @@ bool hpage_1m_allowed(void)
> > static char *machine_get_loadparm(Object *obj, Error **errp)
> > {
> > S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
> > + char *loadparm_str;
> >
> > - return g_memdup(ms->loadparm, sizeof(ms->loadparm));
> > + /* make a NUL-terminated string */
> > + loadparm_str = g_memdup(ms->loadparm, sizeof(ms->loadparm) + 1);
> > + loadparm_str[sizeof(ms->loadparm)] = 0;
> > + return loadparm_str;
>
> Hi. Coverity points out (CID 1431058) that this code now
> reads off the end of the ms->loadparm buffer, because
> g_memdup() is going to read and copy 9 bytes (size + 1)
> and the array itself is only 8 bytes.
>
> I don't think you can use g_memdup() here -- you need to
> allocate the memory with g_malloc() and then fill it with
> memcpy(), something like:
>
> loadparm_str = g_malloc(sizeof(ms->loadparm) + 1);
> memcpy(loadparm_str, ms->loadparm, sizeof(ms->loadparm));
> loadparm_str[sizeof(ms->loadparm)] = 0;
Sigh.
Halil, do you have time to cook up a patch?
next prev parent reply other threads:[~2020-07-28 15:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 14:05 [PULL 0/2] some more s390x fixes Cornelia Huck
2020-07-27 14:05 ` [PULL 1/2] s390x/protvirt: allow to IPL secure guests with -no-reboot Cornelia Huck
2020-07-27 14:05 ` [PULL 2/2] s390x/s390-virtio-ccw: fix loadparm property getter Cornelia Huck
2020-07-28 13:52 ` Peter Maydell
2020-07-28 15:14 ` Cornelia Huck [this message]
2020-07-28 20:22 ` Halil Pasic
2020-07-27 19:59 ` [PULL 0/2] some more s390x fixes Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200728171438.2c3eb4fb.cohuck@redhat.com \
--to=cohuck@redhat.com \
--cc=pasic@linux.ibm.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.