From: Markus Armbruster <armbru@redhat.com>
To: Igor Mammedov <imammedo@redhat.com>
Cc: libvir-list@redhat.com, pbonzini@redhat.com, berrange@redhat.com,
qemu-devel@nongnu.org, ehabkost@redhat.com
Subject: Re: [Qemu-devel] [PATCH v3 1/6] pc: fix possible NULL pointer dereference in pc_machine_get_device_memory_region_size()
Date: Mon, 27 May 2019 18:36:25 +0200 [thread overview]
Message-ID: <87imtvj1me.fsf@dusky.pond.sub.org> (raw)
In-Reply-To: <1558079119-320634-2-git-send-email-imammedo@redhat.com> (Igor Mammedov's message of "Fri, 17 May 2019 09:45:14 +0200")
Igor Mammedov <imammedo@redhat.com> writes:
> QEMU will crash when device-memory-region-size property is read if ms->device_memory
> wasn't initialized yet (ex: property being inspected during preconfig time).
Reproduced:
$ qemu-system-x86_64 -nodefaults -S -display none -preconfig -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 50, "minor": 0, "major": 4}, "package": "v4.0.0-828-ga7b21f6762"}, "capabilities": ["oob"]}}
{"execute": "qmp_capabilities"}
{"return": {}}
{"execute": "qom-get", "arguments": {"path": "/machine", "property": "device-memory-region-size"}}
Segmentation fault (core dumped)
First time I started looking at this series, I went "I'll need a
reproducer to fully understand what's up, and I don't feel like finding
one now; next series, please". Second time, I had to spend a few
minutes on the reproducer. Wasn't hard, since you provided a clue.
Still: make review easy, include a reproducer whenever you can.
> Instead of crashing return 0 if ms->device_memory hasn't been initialized.
>
> Signed-off-by: Igor Mammedov <imammedo@redhat.com>
> ---
> hw/i386/pc.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/hw/i386/pc.c b/hw/i386/pc.c
> index d98b737..de91e90 100644
> --- a/hw/i386/pc.c
> +++ b/hw/i386/pc.c
> @@ -2461,7 +2461,11 @@ pc_machine_get_device_memory_region_size(Object *obj, Visitor *v,
> Error **errp)
> {
> MachineState *ms = MACHINE(obj);
> - int64_t value = memory_region_size(&ms->device_memory->mr);
> + int64_t value = 0;
> +
> + if (ms->device_memory) {
> + memory_region_size(&ms->device_memory->mr);
> + }
>
> visit_type_int(v, name, &value, errp);
> }
This makes qom-get return 0 for the size of memory that doesn't exist,
yet.
A possible alternative would be setting an error.
Opinions?
next prev parent reply other threads:[~2019-05-27 16:37 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-17 7:45 [Qemu-devel] [PATCH v3 0/6] numa: deprecate '-numa node, mem' and default memory distribution Igor Mammedov
2019-05-17 7:45 ` [Qemu-devel] [PATCH v3 1/6] pc: fix possible NULL pointer dereference in pc_machine_get_device_memory_region_size() Igor Mammedov
2019-05-27 16:36 ` Markus Armbruster [this message]
2019-05-28 13:46 ` Igor Mammedov
2019-05-17 7:45 ` [Qemu-devel] [PATCH v3 2/6] qmp: make "qom-list-properties" show initial property values Igor Mammedov
2019-05-27 18:15 ` Markus Armbruster
2019-05-17 7:45 ` [Qemu-devel] [PATCH v3 3/6] qmp: qmp_qom_list_properties(): ignore empty string options Igor Mammedov
2019-05-27 18:22 ` Markus Armbruster
2019-05-17 7:45 ` [Qemu-devel] [PATCH v3 4/6] numa: introduce "numa-mem-supported" machine property Igor Mammedov
2019-05-27 18:38 ` Markus Armbruster
2019-05-28 13:14 ` Igor Mammedov
2019-05-27 18:52 ` Eduardo Habkost
2019-05-17 7:45 ` [Qemu-devel] [PATCH v3 5/6] numa: deprecate 'mem' parameter of '-numa node' option Igor Mammedov
2019-05-17 7:45 ` [Qemu-devel] [PATCH v3 6/6] numa: deprecate implict memory distribution between nodes Igor Mammedov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87imtvj1me.fsf@dusky.pond.sub.org \
--to=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=ehabkost@redhat.com \
--cc=imammedo@redhat.com \
--cc=libvir-list@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.