From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Het Gala <het.gala@nutanix.com>
Cc: qemu-devel@nongnu.org, prerna.saxena@nutanix.com,
quintela@redhat.com, dgilbert@redhat.com, pbonzini@redhat.com,
armbru@redhat.com, eblake@redhat.com, manish.mishra@nutanix.com,
aravind.retnakaran@nutanix.com
Subject: Re: [PATCH v4 4/8] migration: converts rdma backend to accept MigrateAddress struct
Date: Mon, 15 May 2023 11:24:21 +0100 [thread overview]
Message-ID: <ZGIIVc83VbEMgUhB@redhat.com> (raw)
In-Reply-To: <20230512143240.192504-5-het.gala@nutanix.com>
On Fri, May 12, 2023 at 02:32:36PM +0000, Het Gala wrote:
> RDMA based transport backend for 'migrate'/'migrate-incoming' QAPIs
> accept new wire protocol of MigrateAddress struct.
>
> It is achived by parsing 'uri' string and storing migration parameters
> required for RDMA connection into well defined InetSocketAddress struct.
>
> Suggested-by: Aravind Retnakaran <aravind.retnakaran@nutanix.com>
> Signed-off-by: Het Gala <het.gala@nutanix.com>
> ---
> migration/migration.c | 8 ++++----
> migration/rdma.c | 38 ++++++++++++++++----------------------
> migration/rdma.h | 6 ++++--
> 3 files changed, 24 insertions(+), 28 deletions(-)
>
> @@ -3360,10 +3346,12 @@ static int qemu_rdma_accept(RDMAContext *rdma)
> .private_data_len = sizeof(cap),
> };
> RDMAContext *rdma_return_path = NULL;
> + InetSocketAddress *isock = g_new0(InetSocketAddress, 1);
> struct rdma_cm_event *cm_event;
> struct ibv_context *verbs;
> int ret = -EINVAL;
> int idx;
> + char arr[8];
>
> ret = rdma_get_cm_event(rdma->channel, &cm_event);
> if (ret) {
> @@ -3375,13 +3363,17 @@ static int qemu_rdma_accept(RDMAContext *rdma)
> goto err_rdma_dest_wait;
> }
>
> + isock->host = rdma->host;
> + sprintf(arr,"%d", rdma->port);
> + isock->port = arr;
While Inet ports are 16-bit, and so 65535 fits in a char[8], nothing
at the QAPI parser level is enforcing this.
IOW, someone can pass QEMU a QAPI config with port = 235252353253253253232
and casue this sprintf to smash the stack.
Also this is assigning a stack variable to isock->port which
expects a heap variable. qapi_free_InetSocketAddress() will
call free(isock->port) which will again crash.
Just do
g_autoptr(InetSocketAddress) isock = g_new0(InetSocketAddress, 1);
isock->port = g_strdup_printf("%d", rdma->port);
> +
> /*
> * initialize the RDMAContext for return path for postcopy after first
> * connection request reached.
> */
> if ((migrate_postcopy() || migrate_return_path())
> && !rdma->is_return_path) {
> - rdma_return_path = qemu_rdma_data_init(rdma->host_port, NULL);
> + rdma_return_path = qemu_rdma_data_init(isock, NULL);
> if (rdma_return_path == NULL) {
> rdma_ack_cm_event(cm_event);
> goto err_rdma_dest_wait;
> @@ -3506,6 +3498,8 @@ static int qemu_rdma_accept(RDMAContext *rdma)
> err_rdma_dest_wait:
> rdma->error_state = ret;
> qemu_rdma_cleanup(rdma);
> + qapi_free_InetSocketAddress(isock);
> + g_free(arr);
Free'ing a stack variable
> g_free(rdma_return_path);
> return ret;
> }
> @@ -4114,7 +4108,8 @@ static void rdma_accept_incoming_migration(void *opaque)
> }
> }
>
> -void rdma_start_incoming_migration(const char *host_port, Error **errp)
> +void rdma_start_incoming_migration(InetSocketAddress *host_port,
> + Error **errp)
> {
> int ret;
> RDMAContext *rdma;
> @@ -4160,13 +4155,12 @@ err:
> error_propagate(errp, local_err);
> if (rdma) {
> g_free(rdma->host);
> - g_free(rdma->host_port);
> }
> g_free(rdma);
> }
>
> void rdma_start_outgoing_migration(void *opaque,
> - const char *host_port, Error **errp)
> + InetSocketAddress *host_port, Error **errp)
> {
> MigrationState *s = opaque;
> RDMAContext *rdma_return_path = NULL;
> diff --git a/migration/rdma.h b/migration/rdma.h
> index de2ba09dc5..ee89296555 100644
> --- a/migration/rdma.h
> +++ b/migration/rdma.h
> @@ -14,12 +14,14 @@
> *
> */
>
> +#include "qemu/sockets.h"
> +
> #ifndef QEMU_MIGRATION_RDMA_H
> #define QEMU_MIGRATION_RDMA_H
>
> -void rdma_start_outgoing_migration(void *opaque, const char *host_port,
> +void rdma_start_outgoing_migration(void *opaque, InetSocketAddress *host_port,
> Error **errp);
>
> -void rdma_start_incoming_migration(const char *host_port, Error **errp);
> +void rdma_start_incoming_migration(InetSocketAddress *host_port, Error **errp);
>
> #endif
> --
> 2.22.3
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2023-05-15 10:24 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-12 14:32 [PATCH v4 0/8] migration: Modified 'migrate' and 'migrate-incoming' QAPI commands for migration Het Gala
2023-05-12 14:32 ` [PATCH v4 1/8] migration: introduced 'MigrateAddress' in QAPI for migration wire protocol Het Gala
2023-05-15 8:37 ` Juan Quintela
2023-05-15 10:06 ` Daniel P. Berrangé
2023-05-12 14:32 ` [PATCH v4 2/8] migration: Converts uri parameter into 'MigrateAddress' struct Het Gala
2023-05-15 8:43 ` Juan Quintela
2023-05-15 10:12 ` Daniel P. Berrangé
2023-05-15 11:45 ` Het Gala
2023-05-15 11:55 ` Juan Quintela
2023-05-15 12:17 ` Daniel P. Berrangé
2023-05-15 12:25 ` Juan Quintela
2023-05-12 14:32 ` [PATCH v4 3/8] migration: converts socket backend to accept MigrateAddress struct Het Gala
2023-05-15 8:55 ` Juan Quintela
2023-05-15 10:17 ` Daniel P. Berrangé
2023-05-15 14:22 ` Het Gala
2023-05-15 14:46 ` Juan Quintela
2023-05-15 15:16 ` Het Gala
2023-05-15 16:28 ` Het Gala
2023-05-15 16:42 ` Daniel P. Berrangé
2023-05-12 14:32 ` [PATCH v4 4/8] migration: converts rdma " Het Gala
2023-05-15 9:51 ` Juan Quintela
2023-05-15 10:24 ` Daniel P. Berrangé [this message]
2023-05-15 14:38 ` Het Gala
2023-05-15 14:58 ` Daniel P. Berrangé
2023-05-15 15:17 ` Het Gala
2023-05-12 14:32 ` [PATCH v4 5/8] migration: converts exec " Het Gala
2023-05-15 9:58 ` Juan Quintela
2023-05-15 10:29 ` Daniel P. Berrangé
2023-05-15 15:04 ` Het Gala
2023-05-12 14:32 ` [PATCH v4 6/8] migration: modified 'migrate' QAPI to accept 'channels' argument for migration Het Gala
2023-05-15 10:36 ` Daniel P. Berrangé
2023-05-16 5:48 ` Het Gala
2023-05-16 8:57 ` Daniel P. Berrangé
2023-05-16 10:14 ` Het Gala
2023-05-12 14:32 ` [PATCH v4 7/8] migration: modified 'migrate-incoming' " Het Gala
2023-05-15 10:01 ` Juan Quintela
2023-05-15 10:38 ` Daniel P. Berrangé
2023-05-12 14:32 ` [PATCH v4 8/8] migration: Introduced MigrateChannelList struct to migration code flow Het Gala
2023-05-15 10:04 ` Juan Quintela
2023-05-15 10:42 ` Daniel P. Berrangé
2023-05-16 17:18 ` Het Gala
2023-05-17 8:34 ` Juan Quintela
2023-05-16 10:32 ` [PATCH v4 0/8] migration: Modified 'migrate' and 'migrate-incoming' QAPI commands for migration Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZGIIVc83VbEMgUhB@redhat.com \
--to=berrange@redhat.com \
--cc=aravind.retnakaran@nutanix.com \
--cc=armbru@redhat.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=het.gala@nutanix.com \
--cc=manish.mishra@nutanix.com \
--cc=pbonzini@redhat.com \
--cc=prerna.saxena@nutanix.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.