[Qemu-devel] [PATCH] loader: Fix read_targphys() to behave when read() fails

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] loader: Fix read_targphys() to behave when read() fails
@ 2011-11-16 18:41 Markus Armbruster
  2011-11-19 14:02 ` Blue Swirl
  0 siblings, 1 reply; 2+ messages in thread
From: Markus Armbruster @ 2011-11-16 18:41 UTC (permalink / raw)
  To: qemu-devel; +Cc: blauwirbel

Happily passes (size_t)-1 to rom_add_blob_fixed(), which promptly dies
attempting to malloc that much.  Spotted by Coverity.

Bonus fix for ROMs larger than INT_MAX bytes: return ssize_t instead
of int.  Bug can't bite, because the only user load_aout() limits ROM
size to an int value.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
 hw/loader.c |    9 +++++----
 hw/loader.h |    4 ++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/hw/loader.c b/hw/loader.c
index 5676c18..9bbcddd 100644
--- a/hw/loader.c
+++ b/hw/loader.c
@@ -85,11 +85,11 @@ int load_image(const char *filename, uint8_t *addr)
 }
 
 /* read()-like version */
-int read_targphys(const char *name,
-                  int fd, target_phys_addr_t dst_addr, size_t nbytes)
+ssize_t read_targphys(const char *name,
+                      int fd, target_phys_addr_t dst_addr, size_t nbytes)
 {
     uint8_t *buf;
-    size_t did;
+    ssize_t did;
 
     buf = g_malloc(nbytes);
     did = read(fd, buf, nbytes);
@@ -176,7 +176,8 @@ static void bswap_ahdr(struct exec *e)
 int load_aout(const char *filename, target_phys_addr_t addr, int max_sz,
               int bswap_needed, target_phys_addr_t target_page_size)
 {
-    int fd, size, ret;
+    int fd;
+    ssize_t size, ret;
     struct exec e;
     uint32_t magic;
 
diff --git a/hw/loader.h b/hw/loader.h
index fc6bdff..fbcaba9 100644
--- a/hw/loader.h
+++ b/hw/loader.h
@@ -14,8 +14,8 @@ int load_aout(const char *filename, target_phys_addr_t addr, int max_sz,
 int load_uimage(const char *filename, target_phys_addr_t *ep,
                 target_phys_addr_t *loadaddr, int *is_linux);
 
-int read_targphys(const char *name,
-                  int fd, target_phys_addr_t dst_addr, size_t nbytes);
+ssize_t read_targphys(const char *name,
+                      int fd, target_phys_addr_t dst_addr, size_t nbytes);
 void pstrcpy_targphys(const char *name,
                       target_phys_addr_t dest, int buf_size,
                       const char *source);
-- 
1.7.6.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Qemu-devel] [PATCH] loader: Fix read_targphys() to behave when read() fails
  2011-11-16 18:41 [Qemu-devel] [PATCH] loader: Fix read_targphys() to behave when read() fails Markus Armbruster
@ 2011-11-19 14:02 ` Blue Swirl
  0 siblings, 0 replies; 2+ messages in thread
From: Blue Swirl @ 2011-11-19 14:02 UTC (permalink / raw)
  To: Markus Armbruster; +Cc: qemu-devel

Thanks, applied.

On Wed, Nov 16, 2011 at 18:41, Markus Armbruster <armbru@redhat.com> wrote:
> Happily passes (size_t)-1 to rom_add_blob_fixed(), which promptly dies
> attempting to malloc that much.  Spotted by Coverity.
>
> Bonus fix for ROMs larger than INT_MAX bytes: return ssize_t instead
> of int.  Bug can't bite, because the only user load_aout() limits ROM
> size to an int value.
>
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> ---
>  hw/loader.c |    9 +++++----
>  hw/loader.h |    4 ++--
>  2 files changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/hw/loader.c b/hw/loader.c
> index 5676c18..9bbcddd 100644
> --- a/hw/loader.c
> +++ b/hw/loader.c
> @@ -85,11 +85,11 @@ int load_image(const char *filename, uint8_t *addr)
>  }
>
>  /* read()-like version */
> -int read_targphys(const char *name,
> -                  int fd, target_phys_addr_t dst_addr, size_t nbytes)
> +ssize_t read_targphys(const char *name,
> +                      int fd, target_phys_addr_t dst_addr, size_t nbytes)
>  {
>     uint8_t *buf;
> -    size_t did;
> +    ssize_t did;
>
>     buf = g_malloc(nbytes);
>     did = read(fd, buf, nbytes);
> @@ -176,7 +176,8 @@ static void bswap_ahdr(struct exec *e)
>  int load_aout(const char *filename, target_phys_addr_t addr, int max_sz,
>               int bswap_needed, target_phys_addr_t target_page_size)
>  {
> -    int fd, size, ret;
> +    int fd;
> +    ssize_t size, ret;
>     struct exec e;
>     uint32_t magic;
>
> diff --git a/hw/loader.h b/hw/loader.h
> index fc6bdff..fbcaba9 100644
> --- a/hw/loader.h
> +++ b/hw/loader.h
> @@ -14,8 +14,8 @@ int load_aout(const char *filename, target_phys_addr_t addr, int max_sz,
>  int load_uimage(const char *filename, target_phys_addr_t *ep,
>                 target_phys_addr_t *loadaddr, int *is_linux);
>
> -int read_targphys(const char *name,
> -                  int fd, target_phys_addr_t dst_addr, size_t nbytes);
> +ssize_t read_targphys(const char *name,
> +                      int fd, target_phys_addr_t dst_addr, size_t nbytes);
>  void pstrcpy_targphys(const char *name,
>                       target_phys_addr_t dest, int buf_size,
>                       const char *source);
> --
> 1.7.6.4
>
>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-11-19 14:03 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-16 18:41 [Qemu-devel] [PATCH] loader: Fix read_targphys() to behave when read() fails Markus Armbruster
2011-11-19 14:02 ` Blue Swirl

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).