[PATCH] smbios: Fix buffer overrun when using path= option

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] smbios: Fix buffer overrun when using path= option
@ 2025-03-23 21:35 Daan De Meyer
  2025-03-24  6:24 ` Thomas Huth
                   ` (3 more replies)
  0 siblings, 4 replies; 11+ messages in thread
From: Daan De Meyer @ 2025-03-23 21:35 UTC (permalink / raw)
  To: qemu-devel; +Cc: Daan De Meyer

We have to make sure the array of bytes read from the path= file
is null-terminated, otherwise we run into a buffer overrun later on.

Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879

Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
---
 hw/smbios/smbios.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index 02a09eb9cd..ad4cd6721e 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
             g_byte_array_append(data, (guint8 *)buf, ret);
         }
 
+        buf[0] = '\0';
+        g_byte_array_append(data, (guint8 *)buf, 1);
+
         qemu_close(fd);
 
         *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);
-- 
2.49.0



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* Re: [PATCH] smbios: Fix buffer overrun when using path= option
  2025-03-23 21:35 [PATCH] smbios: Fix buffer overrun when using path= option Daan De Meyer
@ 2025-03-24  6:24 ` Thomas Huth
  2025-04-08 14:13   ` Stefan Hajnoczi
  2025-03-24  9:12 ` Daniel P. Berrangé
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 11+ messages in thread
From: Thomas Huth @ 2025-03-24  6:24 UTC (permalink / raw)
  To: Daan De Meyer, qemu-devel; +Cc: Michael S. Tsirkin, Igor Mammedov, Ani Sinha

On 23/03/2025 22.35, Daan De Meyer wrote:
> We have to make sure the array of bytes read from the path= file
> is null-terminated, otherwise we run into a buffer overrun later on.
> 
> Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
> 
> Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
> ---
>   hw/smbios/smbios.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
> index 02a09eb9cd..ad4cd6721e 100644
> --- a/hw/smbios/smbios.c
> +++ b/hw/smbios/smbios.c
> @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
>               g_byte_array_append(data, (guint8 *)buf, ret);
>           }
>   
> +        buf[0] = '\0';
> +        g_byte_array_append(data, (guint8 *)buf, 1);
> +
>           qemu_close(fd);
>   
>           *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);

Please make sure to put the maintainers on CC: (done now, for the next time 
please see the MAINTAINERS file or use the scripts/get_maintainers.pl 
script), otherwise your patch might go unnoticed.

  Thomas



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH] smbios: Fix buffer overrun when using path= option
  2025-03-24  6:24 ` Thomas Huth
@ 2025-04-08 14:13   ` Stefan Hajnoczi
  0 siblings, 0 replies; 11+ messages in thread
From: Stefan Hajnoczi @ 2025-04-08 14:13 UTC (permalink / raw)
  To: Michael S. Tsirkin, Igor Mammedov, Ani Sinha
  Cc: Daan De Meyer, qemu-devel, Thomas Huth

[-- Attachment #1: Type: text/plain, Size: 1443 bytes --]

On Mon, Mar 24, 2025 at 07:24:59AM +0100, Thomas Huth wrote:
> On 23/03/2025 22.35, Daan De Meyer wrote:
> > We have to make sure the array of bytes read from the path= file
> > is null-terminated, otherwise we run into a buffer overrun later on.
> > 
> > Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
> > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
> > 
> > Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
> > ---
> >   hw/smbios/smbios.c | 3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
> > index 02a09eb9cd..ad4cd6721e 100644
> > --- a/hw/smbios/smbios.c
> > +++ b/hw/smbios/smbios.c
> > @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
> >               g_byte_array_append(data, (guint8 *)buf, ret);
> >           }
> > +        buf[0] = '\0';
> > +        g_byte_array_append(data, (guint8 *)buf, 1);
> > +
> >           qemu_close(fd);
> >           *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);
> 
> Please make sure to put the maintainers on CC: (done now, for the next time
> please see the MAINTAINERS file or use the scripts/get_maintainers.pl
> script), otherwise your patch might go unnoticed.

Michael, Igor, Ani: This patch is needed for QEMU 10.0. You are the
maintainers, please review this patch.

Thanks!

Stefan

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH] smbios: Fix buffer overrun when using path= option
  2025-03-23 21:35 [PATCH] smbios: Fix buffer overrun when using path= option Daan De Meyer
  2025-03-24  6:24 ` Thomas Huth
@ 2025-03-24  9:12 ` Daniel P. Berrangé
  2025-03-24 13:22   ` Daniel P. Berrangé
  2025-03-31 22:18 ` Philippe Mathieu-Daudé
  2025-04-03 19:29 ` Daan De Meyer
  3 siblings, 1 reply; 11+ messages in thread
From: Daniel P. Berrangé @ 2025-03-24  9:12 UTC (permalink / raw)
  To: Daan De Meyer; +Cc: qemu-devel

On Sun, Mar 23, 2025 at 10:35:54PM +0100, Daan De Meyer wrote:
> We have to make sure the array of bytes read from the path= file
> is null-terminated, otherwise we run into a buffer overrun later on.
> 
> Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
> 
> Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
> ---
>  hw/smbios/smbios.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
> index 02a09eb9cd..ad4cd6721e 100644
> --- a/hw/smbios/smbios.c
> +++ b/hw/smbios/smbios.c
> @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
>              g_byte_array_append(data, (guint8 *)buf, ret);
>          }
>  
> +        buf[0] = '\0';
> +        g_byte_array_append(data, (guint8 *)buf, 1);
> +
>          qemu_close(fd);
>  
>          *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH] smbios: Fix buffer overrun when using path= option
  2025-03-24  9:12 ` Daniel P. Berrangé
@ 2025-03-24 13:22   ` Daniel P. Berrangé
  0 siblings, 0 replies; 11+ messages in thread
From: Daniel P. Berrangé @ 2025-03-24 13:22 UTC (permalink / raw)
  To: Daan De Meyer, qemu-stable; +Cc: qemu-devel

CC qemu-stable - this needs cherry-picking into all active stable
branches once accepted.

On Mon, Mar 24, 2025 at 09:12:53AM +0000, Daniel P. Berrangé wrote:
> On Sun, Mar 23, 2025 at 10:35:54PM +0100, Daan De Meyer wrote:
> > We have to make sure the array of bytes read from the path= file
> > is null-terminated, otherwise we run into a buffer overrun later on.
> > 
> > Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
> > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
> > 
> > Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
> > ---
> >  hw/smbios/smbios.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
> > index 02a09eb9cd..ad4cd6721e 100644
> > --- a/hw/smbios/smbios.c
> > +++ b/hw/smbios/smbios.c
> > @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
> >              g_byte_array_append(data, (guint8 *)buf, ret);
> >          }
> >  
> > +        buf[0] = '\0';
> > +        g_byte_array_append(data, (guint8 *)buf, 1);
> > +
> >          qemu_close(fd);
> >  
> >          *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);
> 
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> 
> With regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
> 
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH] smbios: Fix buffer overrun when using path= option
  2025-03-23 21:35 [PATCH] smbios: Fix buffer overrun when using path= option Daan De Meyer
  2025-03-24  6:24 ` Thomas Huth
  2025-03-24  9:12 ` Daniel P. Berrangé
@ 2025-03-31 22:18 ` Philippe Mathieu-Daudé
  2025-04-03 19:29 ` Daan De Meyer
  3 siblings, 0 replies; 11+ messages in thread
From: Philippe Mathieu-Daudé @ 2025-03-31 22:18 UTC (permalink / raw)
  To: Daan De Meyer, qemu-devel, Valentin David

+Valentin

On 23/3/25 22:35, Daan De Meyer wrote:
> We have to make sure the array of bytes read from the path= file
> is null-terminated, otherwise we run into a buffer overrun later on.
> 
> Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
> 
> Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
> ---
>   hw/smbios/smbios.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
> index 02a09eb9cd..ad4cd6721e 100644
> --- a/hw/smbios/smbios.c
> +++ b/hw/smbios/smbios.c
> @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
>               g_byte_array_append(data, (guint8 *)buf, ret);
>           }
>   
> +        buf[0] = '\0';
> +        g_byte_array_append(data, (guint8 *)buf, 1);
> +
>           qemu_close(fd);
>   
>           *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH] smbios: Fix buffer overrun when using path= option
  2025-03-23 21:35 [PATCH] smbios: Fix buffer overrun when using path= option Daan De Meyer
                   ` (2 preceding siblings ...)
  2025-03-31 22:18 ` Philippe Mathieu-Daudé
@ 2025-04-03 19:29 ` Daan De Meyer
  2025-04-03 19:37   ` Philippe Mathieu-Daudé
  3 siblings, 1 reply; 11+ messages in thread
From: Daan De Meyer @ 2025-04-03 19:29 UTC (permalink / raw)
  To: qemu-devel; +Cc: thuth, mst, imammedo, anisinha, Daniel P. Berrangé

Hi,

Unless I'm missing something, I don't think the patch has been merged
yet. Any chance it might have been missed?

Cheers,

Daan

On Sun, 23 Mar 2025 at 22:36, Daan De Meyer <daan.j.demeyer@gmail.com> wrote:
>
> We have to make sure the array of bytes read from the path= file
> is null-terminated, otherwise we run into a buffer overrun later on.
>
> Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
>
> Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
> ---
>  hw/smbios/smbios.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
> index 02a09eb9cd..ad4cd6721e 100644
> --- a/hw/smbios/smbios.c
> +++ b/hw/smbios/smbios.c
> @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
>              g_byte_array_append(data, (guint8 *)buf, ret);
>          }
>
> +        buf[0] = '\0';
> +        g_byte_array_append(data, (guint8 *)buf, 1);
> +
>          qemu_close(fd);
>
>          *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);
> --
> 2.49.0
>


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH] smbios: Fix buffer overrun when using path= option
  2025-04-03 19:29 ` Daan De Meyer
@ 2025-04-03 19:37   ` Philippe Mathieu-Daudé
  2025-04-04 14:46     ` Valentin David
  0 siblings, 1 reply; 11+ messages in thread
From: Philippe Mathieu-Daudé @ 2025-04-03 19:37 UTC (permalink / raw)
  To: Daan De Meyer, qemu-devel, Valentin David
  Cc: thuth, mst, imammedo, anisinha, Daniel P. Berrangé

Hi Daan,

On 3/4/25 21:29, Daan De Meyer wrote:
> Hi,
> 
> Unless I'm missing something, I don't think the patch has been merged
> yet. Any chance it might have been missed?

I have it tagged, as sensible enough, in case nobody else takes it.
IIRC it was sent the same day I posted my latest pull request, so
it'd go in the next one, due before next Tuesday. Also I was hoping I
could get feedback from Valentin.

> 
> Cheers,
> 
> Daan
> 
> On Sun, 23 Mar 2025 at 22:36, Daan De Meyer <daan.j.demeyer@gmail.com> wrote:
>>
>> We have to make sure the array of bytes read from the path= file
>> is null-terminated, otherwise we run into a buffer overrun later on.
>>
>> Fixes: bb99f4772f54017490e3356ecbb3df25c5d4537f ("hw/smbios: support loading OEM strings values from a file")
>> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2879
>>
>> Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
>> ---
>>   hw/smbios/smbios.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
>> index 02a09eb9cd..ad4cd6721e 100644
>> --- a/hw/smbios/smbios.c
>> +++ b/hw/smbios/smbios.c
>> @@ -1285,6 +1285,9 @@ static int save_opt_one(void *opaque,
>>               g_byte_array_append(data, (guint8 *)buf, ret);
>>           }
>>
>> +        buf[0] = '\0';
>> +        g_byte_array_append(data, (guint8 *)buf, 1);
>> +
>>           qemu_close(fd);
>>
>>           *opt->dest = g_renew(char *, *opt->dest, (*opt->ndest) + 1);
>> --
>> 2.49.0
>>
> 



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH] smbios: Fix buffer overrun when using path= option
  2025-04-03 19:37   ` Philippe Mathieu-Daudé
@ 2025-04-04 14:46     ` Valentin David
  2025-04-04 15:02       ` Philippe Mathieu-Daudé
  0 siblings, 1 reply; 11+ messages in thread
From: Valentin David @ 2025-04-04 14:46 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé
  Cc: Daan De Meyer, qemu-devel, thuth, mst, imammedo, anisinha,
	Daniel P. Berrangé

[-- Attachment #1: Type: text/plain, Size: 287 bytes --]

On Thu, Apr 3, 2025 at 9:37 PM Philippe Mathieu-Daudé <philmd@linaro.org>
wrote:

> Also I was hoping I could get feedback from Valentin.
>
>
Sorry, I did not realize that you wanted my feedback. Daan's patch looks
fine to me. I have manually tested it and it fixes my issue.

[-- Attachment #2: Type: text/html, Size: 611 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH] smbios: Fix buffer overrun when using path= option
  2025-04-04 14:46     ` Valentin David
@ 2025-04-04 15:02       ` Philippe Mathieu-Daudé
  2025-04-04 15:06         ` Valentin David
  0 siblings, 1 reply; 11+ messages in thread
From: Philippe Mathieu-Daudé @ 2025-04-04 15:02 UTC (permalink / raw)
  To: Valentin David
  Cc: Daan De Meyer, qemu-devel, thuth, mst, imammedo, anisinha,
	Daniel P. Berrangé

On 4/4/25 16:46, Valentin David wrote:
> On Thu, Apr 3, 2025 at 9:37 PM Philippe Mathieu-Daudé <philmd@linaro.org 
> <mailto:philmd@linaro.org>> wrote:
> 
>     Also I was hoping I could get feedback from Valentin.
> 
> 
> Sorry, I did not realize that you wanted my feedback. Daan's patch looks 
> fine to me. I have manually tested it and it fixes my issue.

Thanks! Might I add your tag then?

Tested-by: Valentin David <valentin.david@canonical.com>



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH] smbios: Fix buffer overrun when using path= option
  2025-04-04 15:02       ` Philippe Mathieu-Daudé
@ 2025-04-04 15:06         ` Valentin David
  0 siblings, 0 replies; 11+ messages in thread
From: Valentin David @ 2025-04-04 15:06 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé
  Cc: Daan De Meyer, qemu-devel, thuth, mst, imammedo, anisinha,
	Daniel P. Berrangé

[-- Attachment #1: Type: text/plain, Size: 591 bytes --]

Yes.

On Fri, Apr 4, 2025 at 5:02 PM Philippe Mathieu-Daudé <philmd@linaro.org>
wrote:

> On 4/4/25 16:46, Valentin David wrote:
> > On Thu, Apr 3, 2025 at 9:37 PM Philippe Mathieu-Daudé <philmd@linaro.org
> > <mailto:philmd@linaro.org>> wrote:
> >
> >     Also I was hoping I could get feedback from Valentin.
> >
> >
> > Sorry, I did not realize that you wanted my feedback. Daan's patch looks
> > fine to me. I have manually tested it and it fixes my issue.
>
> Thanks! Might I add your tag then?
>
> Tested-by: Valentin David <valentin.david@canonical.com>
>
>

[-- Attachment #2: Type: text/html, Size: 1143 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2025-04-08 14:14 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-23 21:35 [PATCH] smbios: Fix buffer overrun when using path= option Daan De Meyer
2025-03-24  6:24 ` Thomas Huth
2025-04-08 14:13   ` Stefan Hajnoczi
2025-03-24  9:12 ` Daniel P. Berrangé
2025-03-24 13:22   ` Daniel P. Berrangé
2025-03-31 22:18 ` Philippe Mathieu-Daudé
2025-04-03 19:29 ` Daan De Meyer
2025-04-03 19:37   ` Philippe Mathieu-Daudé
2025-04-04 14:46     ` Valentin David
2025-04-04 15:02       ` Philippe Mathieu-Daudé
2025-04-04 15:06         ` Valentin David

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.