From: Markus Armbruster <armbru@redhat.com>
To: "liujunjie (A)" <liujunjie23@huawei.com>
Cc: "wangxin (U)" <wangxinxin.wang@huawei.com>,
"Gonglei (Arei)" <arei.gonglei@huawei.com>,
"Huangweidong (C)" <weidong.huang@huawei.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow
Date: Tue, 24 Jul 2018 08:22:54 +0200 [thread overview]
Message-ID: <87r2jt40g1.fsf@dusky.pond.sub.org> (raw)
In-Reply-To: <B526101FCAB4654DB0892B650DEFC555086C8382@dggemm521-mbx.china.huawei.com> (liujunjie's message of "Tue, 24 Jul 2018 01:08:21 +0000")
"liujunjie (A)" <liujunjie23@huawei.com> writes:
> The stack backtrace is as follows:
> (gdb) bt
> #0 0x00007f1dc3c7b091 in _g_log_abort () from /usr/lib64/libglib-2.0.so.0
> #1 0x00007f1dc3c7c0bd in g_log_default_handler () from /usr/lib64/libglib-2.0.so.0
> #2 0x00007f1dc3c7c341 in g_logv () from /usr/lib64/libglib-2.0.so.0
> #3 0x00007f1dc3c7c5cf in g_log () from /usr/lib64/libglib-2.0.so.0
> #4 0x00007f1dc3c7ac4c in g_malloc () from /usr/lib64/libglib-2.0.so.0
> #5 0x00000000008300b7 in qstring_from_substr (
> str=0x7f13a2e67010 "00000000777b8000: 0000000003083000 ----A--U-\r\n00000000777b9000: 0000000005984000 ----A--U-\r\n00000000777ba000: 0000000005985000 ----A--U-\r\n00000000777bb000: 0000000003086000 ----A--U-\r\n00000000777bc000"..., start=start@entry=0, end=<optimized out>) at qobject/qstring.c:51
> #6 0x0000000000830113 in qstring_from_str (str=<optimized out>) at qobject/qstring.c:66
> #7 0x000000000082be98 in qobject_output_type_str (v=<optimized out>, name=0x89703b "unused", obj=0x7ffff0135f98, errp=<optimized out>)
> at qapi/qobject_output_visitor.c:172
> #8 0x0000000000829d2c in visit_type_str (v=v@entry=0x4d9d940, name=name@entry=0x89703b "unused", obj=obj@entry=0x7ffff0135f98, errp=errp@entry=0x7ffff0135fa8)
> at qapi/qapi_visit_core.c:291
> #9 0x0000000000576135 in qmp_marshal_output_str (
> ret_in=0x7f13a2e67010 "00000000777b8000: 0000000003083000 ----A--U-\r\n00000000777b9000: 0000000005984000 ----A--U-\r\n00000000777ba000: 0000000005985000 ----A--U-\r\n00000000777bb000: 0000000003086000 ----A--U-\r\n00000000777bc000"..., ret_out=ret_out@entry=0x7ffff0136068, errp=errp@entry=0x7ffff0135fe8) at qmp-marshal.c:2022
> #10 0x00000000005762cb in qmp_marshal_human_monitor_command (args=<optimized out>, ret=0x7ffff0136068, errp=0x7ffff0136060) at qmp-marshal.c:2059
> #11 0x000000000082c897 in do_qmp_dispatch (request=request@entry=0x1fcda50, errp=errp@entry=0x7ffff01360b8) at qapi/qmp_dispatch.c:114
> #12 0x000000000082caeb in qmp_dispatch (request=request@entry=0x1fcda50) at qapi/qmp_dispatch.c:141
> #13 0x000000000045e0d2 in handle_qmp_command (parser=<optimized out>, tokens=<optimized out>) at /usr/src/debug/qemu-kvm-2.8.1/monitor.c:3907
[...]
The code is trying to marshall the return value of
qmp_human_monitor_command(). It's @ret_in in qmp_marshal_output_str()
(frame#9, abbreviated by GDB), and @str in qstring_from_substr()
(frame#5). Also @str in qstring_from_str() (frame#6), but GDB can't see
it there. Sadly, GDB can't see shows qstring_from_substr()'s @end,
either. However, you previously examined qstring->length there:
>> > (gdb) p/x qstring->length
>> > $7 = 0xffffffffb0fd64bc
>> > (gdb) p end
>> > $8 = <optimized out>
We know
qstring->length = end - start + 1;
If GDB shows the true value (always in doubt for optimized code), then
@end must be qstring->length - 1, because @start is zero. But that's
not plausible at all! It's almost 16 exabyte.
I suspect GDB is lying to you. Please show us the complete string, like
this:
(gdb) set print elements unlimited
(gdb) print str
next prev parent reply other threads:[~2018-07-24 6:23 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-20 13:09 [Qemu-devel] [PATCH] qstring: Fix integer overflow liujunjie
2018-07-23 12:47 ` Markus Armbruster
2018-07-23 14:36 ` liujunjie (A)
2018-07-23 15:46 ` Markus Armbruster
2018-07-24 1:08 ` liujunjie (A)
2018-07-24 6:22 ` Markus Armbruster [this message]
2018-07-24 8:46 ` Markus Armbruster
2018-07-24 9:18 ` liujunjie (A)
2018-07-24 12:07 ` Markus Armbruster
2018-07-24 13:24 ` liujunjie (A)
2018-07-23 14:52 ` Eric Blake
2018-07-24 2:27 ` liujunjie (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r2jt40g1.fsf@dusky.pond.sub.org \
--to=armbru@redhat.com \
--cc=arei.gonglei@huawei.com \
--cc=liujunjie23@huawei.com \
--cc=qemu-devel@nongnu.org \
--cc=wangxinxin.wang@huawei.com \
--cc=weidong.huang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.