* [Qemu-devel] [PATCH 0/2] Two buffer overruns in device assignment
@ 2014-02-21 16:42 Markus Armbruster
2014-02-21 16:42 ` [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
2014-02-21 16:42 ` [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster
0 siblings, 2 replies; 8+ messages in thread
From: Markus Armbruster @ 2014-02-21 16:42 UTC (permalink / raw)
To: qemu-devel; +Cc: alex.williamson
Markus Armbruster (2):
vfio: Fix overrun after readlink() fills buffer completely
pci-assign: Fix potential read beyond buffer on -EBUSY
hw/i386/kvm/pci-assign.c | 1 +
hw/misc/vfio.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--
1.8.1.4
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely
2014-02-21 16:42 [Qemu-devel] [PATCH 0/2] Two buffer overruns in device assignment Markus Armbruster
@ 2014-02-21 16:42 ` Markus Armbruster
2014-02-21 16:47 ` Peter Maydell
2014-02-21 17:17 ` Alex Williamson
2014-02-21 16:42 ` [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster
1 sibling, 2 replies; 8+ messages in thread
From: Markus Armbruster @ 2014-02-21 16:42 UTC (permalink / raw)
To: qemu-devel; +Cc: alex.williamson
readlink() returns the number of bytes written to the buffer, and it
doesn't write a terminating null byte. vfio_init() writes it itself.
Overruns the buffer when readlink() filled it completely.
Fix by reserving space for the null byte when calling readlink(), like
we do elsewhere.
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
hw/misc/vfio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index 8db182f..8e56785 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -3681,7 +3681,7 @@ static int vfio_initfn(PCIDevice *pdev)
strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1);
- len = readlink(path, iommu_group_path, PATH_MAX);
+ len = readlink(path, iommu_group_path, PATH_MAX - 1);
if (len <= 0) {
error_report("vfio: error no iommu_group for device");
return -errno;
--
1.8.1.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY
2014-02-21 16:42 [Qemu-devel] [PATCH 0/2] Two buffer overruns in device assignment Markus Armbruster
2014-02-21 16:42 ` [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
@ 2014-02-21 16:42 ` Markus Armbruster
2014-02-21 16:51 ` Peter Maydell
1 sibling, 1 reply; 8+ messages in thread
From: Markus Armbruster @ 2014-02-21 16:42 UTC (permalink / raw)
To: qemu-devel; +Cc: alex.williamson
readlink() doesn't write a terminating null byte.
assign_failed_examine() passes the unterminated string to strrchr().
Oops. Terminate it.
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
hw/i386/kvm/pci-assign.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
index 9686801..a825871 100644
--- a/hw/i386/kvm/pci-assign.c
+++ b/hw/i386/kvm/pci-assign.c
@@ -743,6 +743,7 @@ static void assign_failed_examine(AssignedDevice *dev)
goto fail;
}
+ driver[r] = 0;
ns = strrchr(driver, '/');
if (!ns) {
goto fail;
--
1.8.1.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely
2014-02-21 16:42 ` [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
@ 2014-02-21 16:47 ` Peter Maydell
2014-02-21 17:17 ` Alex Williamson
1 sibling, 0 replies; 8+ messages in thread
From: Peter Maydell @ 2014-02-21 16:47 UTC (permalink / raw)
To: Markus Armbruster; +Cc: Alex Williamson, QEMU Developers
On 21 February 2014 16:42, Markus Armbruster <armbru@redhat.com> wrote:
> readlink() returns the number of bytes written to the buffer, and it
> doesn't write a terminating null byte. vfio_init() writes it itself.
> Overruns the buffer when readlink() filled it completely.
>
> Fix by reserving space for the null byte when calling readlink(), like
> we do elsewhere.
>
> Spotted by Coverity.
>
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> ---
> hw/misc/vfio.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
> index 8db182f..8e56785 100644
> --- a/hw/misc/vfio.c
> +++ b/hw/misc/vfio.c
> @@ -3681,7 +3681,7 @@ static int vfio_initfn(PCIDevice *pdev)
>
> strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1);
>
> - len = readlink(path, iommu_group_path, PATH_MAX);
> + len = readlink(path, iommu_group_path, PATH_MAX - 1);
> if (len <= 0) {
> error_report("vfio: error no iommu_group for device");
> return -errno;
"sizeof(iommu_group_path) - 1" would be slightly better,
I think, but PATH_MAX - 1 works too.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
(cc stable?)
thanks
-- PMM
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY
2014-02-21 16:42 ` [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster
@ 2014-02-21 16:51 ` Peter Maydell
2014-02-21 16:55 ` Peter Maydell
0 siblings, 1 reply; 8+ messages in thread
From: Peter Maydell @ 2014-02-21 16:51 UTC (permalink / raw)
To: Markus Armbruster; +Cc: Alex Williamson, QEMU Developers
On 21 February 2014 16:42, Markus Armbruster <armbru@redhat.com> wrote:
> readlink() doesn't write a terminating null byte.
> assign_failed_examine() passes the unterminated string to strrchr().
> Oops. Terminate it.
>
> Spotted by Coverity.
>
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> ---
> hw/i386/kvm/pci-assign.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
> index 9686801..a825871 100644
> --- a/hw/i386/kvm/pci-assign.c
> +++ b/hw/i386/kvm/pci-assign.c
> @@ -743,6 +743,7 @@ static void assign_failed_examine(AssignedDevice *dev)
> goto fail;
> }
>
> + driver[r] = 0;
This will write off the end of the buffer if readlink()
filled it completely, won't it? I think you also need
to change the readlink() 3rd argument to "sizeof(driver) - 1".
thanks
-- PMM
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY
2014-02-21 16:51 ` Peter Maydell
@ 2014-02-21 16:55 ` Peter Maydell
0 siblings, 0 replies; 8+ messages in thread
From: Peter Maydell @ 2014-02-21 16:55 UTC (permalink / raw)
To: Markus Armbruster; +Cc: Alex Williamson, QEMU Developers
On 21 February 2014 16:51, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 21 February 2014 16:42, Markus Armbruster <armbru@redhat.com> wrote:
>> readlink() doesn't write a terminating null byte.
>> assign_failed_examine() passes the unterminated string to strrchr().
>> Oops. Terminate it.
>>
>> Spotted by Coverity.
>>
>> Signed-off-by: Markus Armbruster <armbru@redhat.com>
>> ---
>> hw/i386/kvm/pci-assign.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
>> index 9686801..a825871 100644
>> --- a/hw/i386/kvm/pci-assign.c
>> +++ b/hw/i386/kvm/pci-assign.c
>> @@ -743,6 +743,7 @@ static void assign_failed_examine(AssignedDevice *dev)
>> goto fail;
>> }
>>
>> + driver[r] = 0;
>
> This will write off the end of the buffer if readlink()
> filled it completely, won't it? I think you also need
> to change the readlink() 3rd argument to "sizeof(driver) - 1".
Apologies for this aspersion -- we check for
"r == sizeof(driver)" and bail out before we get here,
so the patch is ok.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
thanks
-- PMM
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely
2014-02-21 16:42 ` [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
2014-02-21 16:47 ` Peter Maydell
@ 2014-02-21 17:17 ` Alex Williamson
2014-02-24 14:04 ` Markus Armbruster
1 sibling, 1 reply; 8+ messages in thread
From: Alex Williamson @ 2014-02-21 17:17 UTC (permalink / raw)
To: Markus Armbruster; +Cc: qemu-devel
On Fri, 2014-02-21 at 17:42 +0100, Markus Armbruster wrote:
> readlink() returns the number of bytes written to the buffer, and it
> doesn't write a terminating null byte. vfio_init() writes it itself.
> Overruns the buffer when readlink() filled it completely.
>
> Fix by reserving space for the null byte when calling readlink(), like
> we do elsewhere.
>
> Spotted by Coverity.
>
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> ---
> hw/misc/vfio.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
> index 8db182f..8e56785 100644
> --- a/hw/misc/vfio.c
> +++ b/hw/misc/vfio.c
> @@ -3681,7 +3681,7 @@ static int vfio_initfn(PCIDevice *pdev)
>
> strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1);
>
> - len = readlink(path, iommu_group_path, PATH_MAX);
> + len = readlink(path, iommu_group_path, PATH_MAX - 1);
> if (len <= 0) {
> error_report("vfio: error no iommu_group for device");
> return -errno;
I'm not sure why we wouldn't follow the same logic as pci-assign here.
If we fill to the length provided we have no idea if we have the full
path. We certainly expect it to fit well within PATH_MAX, so let's
handle it as an error if we reach PATH_MAX. Thanks,
Alex
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely
2014-02-21 17:17 ` Alex Williamson
@ 2014-02-24 14:04 ` Markus Armbruster
0 siblings, 0 replies; 8+ messages in thread
From: Markus Armbruster @ 2014-02-24 14:04 UTC (permalink / raw)
To: Alex Williamson; +Cc: qemu-devel
Alex Williamson <alex.williamson@redhat.com> writes:
> On Fri, 2014-02-21 at 17:42 +0100, Markus Armbruster wrote:
>> readlink() returns the number of bytes written to the buffer, and it
>> doesn't write a terminating null byte. vfio_init() writes it itself.
>> Overruns the buffer when readlink() filled it completely.
>>
>> Fix by reserving space for the null byte when calling readlink(), like
>> we do elsewhere.
>>
>> Spotted by Coverity.
>>
>> Signed-off-by: Markus Armbruster <armbru@redhat.com>
>> ---
>> hw/misc/vfio.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
>> index 8db182f..8e56785 100644
>> --- a/hw/misc/vfio.c
>> +++ b/hw/misc/vfio.c
>> @@ -3681,7 +3681,7 @@ static int vfio_initfn(PCIDevice *pdev)
>>
>> strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1);
>>
>> - len = readlink(path, iommu_group_path, PATH_MAX);
>> + len = readlink(path, iommu_group_path, PATH_MAX - 1);
>> if (len <= 0) {
>> error_report("vfio: error no iommu_group for device");
>> return -errno;
>
> I'm not sure why we wouldn't follow the same logic as pci-assign here.
> If we fill to the length provided we have no idea if we have the full
> path. We certainly expect it to fit well within PATH_MAX, so let's
> handle it as an error if we reach PATH_MAX. Thanks,
Fair point. v2 sent.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-02-24 14:13 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-21 16:42 [Qemu-devel] [PATCH 0/2] Two buffer overruns in device assignment Markus Armbruster
2014-02-21 16:42 ` [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
2014-02-21 16:47 ` Peter Maydell
2014-02-21 17:17 ` Alex Williamson
2014-02-24 14:04 ` Markus Armbruster
2014-02-21 16:42 ` [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster
2014-02-21 16:51 ` Peter Maydell
2014-02-21 16:55 ` Peter Maydell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).