Re: [PATCH v3 3/3] util/aio-win32: Correct the event array size in aio_poll()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Bin Meng <bmeng.cn@gmail.com>
Cc: qemu-devel@nongnu.org,
	"Marc-André Lureau" <marcandre.lureau@gmail.com>,
	"Bin Meng" <bin.meng@windriver.com>,
	"Stefan Weil" <sw@weilnetz.de>,
	"Marc-André Lureau" <marcandre.lureau@redhat.com>,
	"Fam Zheng" <fam@euphon.net>,
	"Stefan Hajnoczi" <stefanha@redhat.com>,
	qemu-block@nongnu.org
Subject: Re: [PATCH v3 3/3] util/aio-win32: Correct the event array size in aio_poll()
Date: Wed, 19 Oct 2022 09:36:30 +0100	[thread overview]
Message-ID: <Y0+3DnYl1cEeweZU@redhat.com> (raw)
In-Reply-To: <20220824085231.1630804-3-bmeng.cn@gmail.com>

On Wed, Aug 24, 2022 at 04:52:31PM +0800, Bin Meng wrote:
> From: Bin Meng <bin.meng@windriver.com>
> 
> WaitForMultipleObjects() can only wait for MAXIMUM_WAIT_OBJECTS
> object handles. Correct the event array size in aio_poll() and
> add a assert() to ensure it does not cause out of bound access.
> 
> Signed-off-by: Bin Meng <bin.meng@windriver.com>
> Reviewed-by: Stefan Weil <sw@weilnetz.de>
> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> ---
> 
> (no changes since v2)
> 
> Changes in v2:
> - change 'count' to unsigned
> 
>  util/aio-win32.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/util/aio-win32.c b/util/aio-win32.c
> index 44003d645e..80cfe012ad 100644
> --- a/util/aio-win32.c
> +++ b/util/aio-win32.c
> @@ -326,9 +326,9 @@ void aio_dispatch(AioContext *ctx)
>  bool aio_poll(AioContext *ctx, bool blocking)
>  {
>      AioHandler *node;
> -    HANDLE events[MAXIMUM_WAIT_OBJECTS + 1];
> +    HANDLE events[MAXIMUM_WAIT_OBJECTS];

Interestingly, the orignial + 1 was entirely pointless, since
the aio_poll impl has no bounds checking at all, until your
new assert.

>      bool progress, have_select_revents, first;
> -    int count;
> +    unsigned count;
>      int timeout;
>  
>      /*
> @@ -369,6 +369,7 @@ bool aio_poll(AioContext *ctx, bool blocking)
>      QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
>          if (!node->deleted && node->io_notify
>              && aio_node_check(ctx, node->is_external)) {
> +            assert(count < MAXIMUM_WAIT_OBJECTS);
>              events[count++] = event_notifier_get_handle(node->e);
>          }
>      }

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

next prev parent reply	other threads:[~2022-10-19  8:44 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-24  8:52 [PATCH v3 1/3] util/main-loop: Fix maximum number of wait objects for win32 Bin Meng
2022-08-24  8:52 ` [PATCH v3 2/3] util/main-loop: Avoid adding the same HANDLE twice Bin Meng
2022-08-30 12:22   ` Philippe Mathieu-Daudé via
2022-10-19  8:32   ` Daniel P. Berrangé
2022-10-19  9:07     ` Bin Meng
2022-08-24  8:52 ` [PATCH v3 3/3] util/aio-win32: Correct the event array size in aio_poll() Bin Meng
2022-08-30 12:23   ` Philippe Mathieu-Daudé via
2022-10-19  8:36   ` Daniel P. Berrangé [this message]
2022-09-02  4:19 ` [PATCH v3 1/3] util/main-loop: Fix maximum number of wait objects for win32 Bin Meng
2022-09-09  6:45   ` Bin Meng
2022-09-13  9:51 ` Marc-André Lureau
2022-09-25  1:07   ` Bin Meng
2022-10-02 22:21     ` Bin Meng
2022-10-11 12:04       ` Bin Meng
2022-10-19  5:53         ` Bin Meng
2022-10-19  8:41 ` Daniel P. Berrangé

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y0+3DnYl1cEeweZU@redhat.com \
    --to=berrange@redhat.com \
    --cc=bin.meng@windriver.com \
    --cc=bmeng.cn@gmail.com \
    --cc=fam@euphon.net \
    --cc=marcandre.lureau@gmail.com \
    --cc=marcandre.lureau@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    --cc=sw@weilnetz.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.