From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>,
qemu-devel@nongnu.org, "Gerd Hoffmann" <kraxel@redhat.com>
Subject: Re: [PATCH] hw/nvram/fw_cfg: fix FWCfgDataGeneratorClass::get_data() consumption
Date: Wed, 16 Sep 2020 17:30:27 +0100 [thread overview]
Message-ID: <20200916163027.GS1535709@redhat.com> (raw)
In-Reply-To: <20200916151510.22767-1-lersek@redhat.com>
On Wed, Sep 16, 2020 at 05:15:10PM +0200, Laszlo Ersek wrote:
> The documentation on g_byte_array_free()
> <https://developer.gnome.org/glib/stable/glib-Byte-Arrays.html#g-byte-array-free>
> says:
>
> > Returns
> >
> > the element data if free_segment is FALSE, otherwise NULL. The element
> > data should be freed using g_free().
>
> Because we currently call g_byte_array_free() with free_segment=TRUE, we
> end up passing data=NULL to fw_cfg_add_file().
>
> On the plus side, fw_cfg_data_read() and fw_cfg_dma_transfer() both deal
> with NULL data gracefully: QEMU does not crash when the guest reads such
> an item, the guest just gets a properly sized, but zero-filled blob.
>
> However, the bug breaks UEFI HTTPS boot, as the IANA_TLS_CIPHER array,
> generated otherwise correctly by the "tls-cipher-suites" object, is in
> effect replaced with a zero blob.
>
> Fix the issue by passing free_segment=FALSE to g_byte_array_free():
>
> - the caller (fw_cfg_add_from_generator()) temporarily assumes ownership
> of the generated byte array,
>
> - then ownership of the byte array is transfered to fw_cfg, as
> fw_cfg_add_file() links (not copies) "data" into fw_cfg.
>
> Cc: "Daniel P. Berrangé" <berrange@redhat.com>
> Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Fixes: 3203148917d035b09f71986ac2eaa19a352d6d9d
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> hw/nvram/fw_cfg.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2020-09-16 16:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-16 15:15 [PATCH] hw/nvram/fw_cfg: fix FWCfgDataGeneratorClass::get_data() consumption Laszlo Ersek
2020-09-16 15:57 ` Philippe Mathieu-Daudé
2020-09-16 16:30 ` Daniel P. Berrangé [this message]
2020-09-18 8:34 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200916163027.GS1535709@redhat.com \
--to=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=lersek@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.