From: Paolo Bonzini <pbonzini@redhat.com>
To: Juan Quintela <quintela@redhat.com>, qemu-devel@nongnu.org
Cc: amit.shah@redhat.com, "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Subject: Re: [Qemu-devel] [PULL 10/28] Sanity check RDMA remote data
Date: Thu, 9 Jul 2015 16:08:15 +0200 [thread overview]
Message-ID: <559E804F.9010805@redhat.com> (raw)
In-Reply-To: <1436274549-28826-11-git-send-email-quintela@redhat.com>
On 07/07/2015 15:08, Juan Quintela wrote:
> From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
>
> Perform some basic (but probably not complete) sanity checking on
> requests from the RDMA source.
>
> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> Reviewed-by: Michael R. Hines <mrhines@us.ibm.com>
> Signed-off-by: Juan Quintela <quintela@redhat.com>
> ---
> migration/rdma.c | 30 ++++++++++++++++++++++++++++++
> 1 file changed, 30 insertions(+)
>
> diff --git a/migration/rdma.c b/migration/rdma.c
> index 73844a3..73a79be 100644
> --- a/migration/rdma.c
> +++ b/migration/rdma.c
> @@ -2992,6 +2992,13 @@ static int qemu_rdma_registration_handle(QEMUFile *f, void *opaque)
> trace_qemu_rdma_registration_handle_compress(comp->length,
> comp->block_idx,
> comp->offset);
> + if (comp->block_idx >= rdma->local_ram_blocks.nb_blocks) {
> + error_report("rdma: 'compress' bad block index %u (vs %d)",
> + (unsigned int)comp->block_idx,
> + rdma->local_ram_blocks.nb_blocks);
> + ret = -EIO;
> + break;
Did you want "goto out" here, and especially inside the for loop below:
> + }
> block = &(rdma->local_ram_blocks.block[comp->block_idx]);
>
> host_addr = block->local_host_addr +
> @@ -3080,8 +3087,23 @@ static int qemu_rdma_registration_handle(QEMUFile *f, void *opaque)
> trace_qemu_rdma_registration_handle_register_loop(count,
> reg->current_index, reg->key.current_addr, reg->chunks);
>
> + if (reg->current_index >= rdma->local_ram_blocks.nb_blocks) {
> + error_report("rdma: 'register' bad block index %u (vs %d)",
> + (unsigned int)reg->current_index,
> + rdma->local_ram_blocks.nb_blocks);
> + ret = -ENOENT;
> + break;
Here
> + }
> block = &(rdma->local_ram_blocks.block[reg->current_index]);
> if (block->is_ram_block) {
> + if (block->offset > reg->key.current_addr) {
> + error_report("rdma: bad register address for block %s"
> + " offset: %" PRIx64 " current_addr: %" PRIx64,
> + block->block_name, block->offset,
> + reg->key.current_addr);
> + ret = -ERANGE;
> + break;
here
> + }
> host_addr = (block->local_host_addr +
> (reg->key.current_addr - block->offset));
> chunk = ram_chunk_index(block->local_host_addr,
> @@ -3090,6 +3112,14 @@ static int qemu_rdma_registration_handle(QEMUFile *f, void *opaque)
> chunk = reg->key.chunk;
> host_addr = block->local_host_addr +
> (reg->key.chunk * (1UL << RDMA_REG_CHUNK_SHIFT));
> + /* Check for particularly bad chunk value */
> + if (host_addr < (void *)block->local_host_addr) {
> + error_report("rdma: bad chunk for block %s"
> + " chunk: %" PRIx64,
> + block->block_name, reg->key.chunk);
> + ret = -ERANGE;
> + break;
and here the "break" takes you directly to
ret = qemu_rdma_post_send_control(rdma,
(uint8_t *) results, ®_resp);
where ret is overwritten (spotted by Coverity).
Paolo
Paolo
> + }
> }
> chunk_start = ram_chunk_start(block, chunk);
> chunk_end = ram_chunk_end(block, chunk + reg->chunks);
>
next prev parent reply other threads:[~2015-07-09 14:08 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-07 13:08 [Qemu-devel] [PULL v3 00/28] Migration pull request Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 01/28] rdma: fix memory leak Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 02/28] Only try and read a VMDescription if it should be there Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 03/28] rdma typos Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 04/28] Store block name in local blocks structure Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 05/28] Translate offsets to destination address space Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 06/28] Rework ram_control_load_hook to hook during block load Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 07/28] Allow rdma_delete_block to work without the hash Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 08/28] Rework ram block hash Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 09/28] Sort destination RAMBlocks to be the same as the source Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 10/28] Sanity check RDMA remote data Juan Quintela
2015-07-09 14:08 ` Paolo Bonzini [this message]
2015-07-09 14:41 ` Dr. David Alan Gilbert
2015-07-07 13:08 ` [Qemu-devel] [PULL 11/28] Fail more cleanly in mismatched RAM cases Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 12/28] Fix older machine type compatibility on power with section footers Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 13/28] runstate: Add runstate store Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 14/28] runstate: migration allows more transitions now Juan Quintela
2015-07-08 9:40 ` zhanghailiang
2015-07-08 11:06 ` Juan Quintela
2015-07-09 2:08 ` zhanghailiang
2015-07-09 2:16 ` Wen Congyang
2015-07-15 10:56 ` Wen Congyang
2015-07-15 11:13 ` Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 15/28] migration: create new section to store global state Juan Quintela
2015-07-08 10:11 ` Christian Borntraeger
2015-07-08 10:14 ` Dr. David Alan Gilbert
2015-07-08 10:19 ` Christian Borntraeger
2015-07-08 10:36 ` Christian Borntraeger
2015-07-08 10:43 ` Dr. David Alan Gilbert
2015-07-08 10:54 ` Christian Borntraeger
2015-07-08 11:14 ` Dr. David Alan Gilbert
2015-07-08 11:10 ` Juan Quintela
2015-07-08 12:08 ` Juan Quintela
2015-07-08 12:17 ` Christian Borntraeger
2015-07-08 12:25 ` Juan Quintela
2015-07-08 12:34 ` Christian Borntraeger
2015-07-08 12:51 ` Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 16/28] global_state: Make section optional Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 17/28] vmstate: Create optional sections Juan Quintela
2015-07-07 13:08 ` [Qemu-devel] [PULL 18/28] migration: Add configuration section Juan Quintela
2015-07-07 13:09 ` [Qemu-devel] [PULL 19/28] migration: Use cmpxchg correctly Juan Quintela
2015-07-07 13:09 ` [Qemu-devel] [PULL 20/28] migration: ensure we start in NONE state Juan Quintela
2015-07-07 13:09 ` [Qemu-devel] [PULL 21/28] migration: Use always helper to set state Juan Quintela
2015-07-07 13:09 ` [Qemu-devel] [PULL 22/28] migration: No need to call trace_migrate_set_state() Juan Quintela
2015-07-07 13:09 ` [Qemu-devel] [PULL 23/28] migration: create migration event Juan Quintela
2015-07-07 13:09 ` [Qemu-devel] [PULL 24/28] migration: Make events a capability Juan Quintela
2015-07-07 14:56 ` Wen Congyang
2015-07-07 15:13 ` Juan Quintela
2015-07-08 6:14 ` Jiri Denemark
2015-07-07 13:09 ` [Qemu-devel] [PULL 25/28] migration: Add migration events on target side Juan Quintela
2015-07-07 13:09 ` [Qemu-devel] [PULL 26/28] check_section_footers: Check the correct section_id Juan Quintela
2015-07-07 13:09 ` [Qemu-devel] [PULL 27/28] migration: protect migration_bitmap Juan Quintela
2015-07-08 19:13 ` Kevin Wolf
2015-07-08 20:35 ` Paolo Bonzini
2015-07-09 1:19 ` Wen Congyang
2015-07-09 7:59 ` Paolo Bonzini
2015-07-09 8:14 ` Wen Congyang
2015-07-09 12:51 ` Paolo Bonzini
2015-07-09 13:31 ` Wen Congyang
2015-07-07 13:09 ` [Qemu-devel] [PULL 28/28] migration: extend migration_bitmap Juan Quintela
2015-07-07 18:12 ` [Qemu-devel] [PULL v3 00/28] Migration pull request Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=559E804F.9010805@redhat.com \
--to=pbonzini@redhat.com \
--cc=amit.shah@redhat.com \
--cc=dgilbert@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.