* [Qemu-devel] [PATCH 0/2] Two buffer overruns in device assignment @ 2014-02-21 16:42 Markus Armbruster 2014-02-21 16:42 ` [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster 2014-02-21 16:42 ` [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster 0 siblings, 2 replies; 8+ messages in thread From: Markus Armbruster @ 2014-02-21 16:42 UTC (permalink / raw) To: qemu-devel; +Cc: alex.williamson Markus Armbruster (2): vfio: Fix overrun after readlink() fills buffer completely pci-assign: Fix potential read beyond buffer on -EBUSY hw/i386/kvm/pci-assign.c | 1 + hw/misc/vfio.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) -- 1.8.1.4 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely 2014-02-21 16:42 [Qemu-devel] [PATCH 0/2] Two buffer overruns in device assignment Markus Armbruster @ 2014-02-21 16:42 ` Markus Armbruster 2014-02-21 16:47 ` Peter Maydell 2014-02-21 17:17 ` Alex Williamson 2014-02-21 16:42 ` [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster 1 sibling, 2 replies; 8+ messages in thread From: Markus Armbruster @ 2014-02-21 16:42 UTC (permalink / raw) To: qemu-devel; +Cc: alex.williamson readlink() returns the number of bytes written to the buffer, and it doesn't write a terminating null byte. vfio_init() writes it itself. Overruns the buffer when readlink() filled it completely. Fix by reserving space for the null byte when calling readlink(), like we do elsewhere. Spotted by Coverity. Signed-off-by: Markus Armbruster <armbru@redhat.com> --- hw/misc/vfio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c index 8db182f..8e56785 100644 --- a/hw/misc/vfio.c +++ b/hw/misc/vfio.c @@ -3681,7 +3681,7 @@ static int vfio_initfn(PCIDevice *pdev) strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1); - len = readlink(path, iommu_group_path, PATH_MAX); + len = readlink(path, iommu_group_path, PATH_MAX - 1); if (len <= 0) { error_report("vfio: error no iommu_group for device"); return -errno; -- 1.8.1.4 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely 2014-02-21 16:42 ` [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster @ 2014-02-21 16:47 ` Peter Maydell 2014-02-21 17:17 ` Alex Williamson 1 sibling, 0 replies; 8+ messages in thread From: Peter Maydell @ 2014-02-21 16:47 UTC (permalink / raw) To: Markus Armbruster; +Cc: Alex Williamson, QEMU Developers On 21 February 2014 16:42, Markus Armbruster <armbru@redhat.com> wrote: > readlink() returns the number of bytes written to the buffer, and it > doesn't write a terminating null byte. vfio_init() writes it itself. > Overruns the buffer when readlink() filled it completely. > > Fix by reserving space for the null byte when calling readlink(), like > we do elsewhere. > > Spotted by Coverity. > > Signed-off-by: Markus Armbruster <armbru@redhat.com> > --- > hw/misc/vfio.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c > index 8db182f..8e56785 100644 > --- a/hw/misc/vfio.c > +++ b/hw/misc/vfio.c > @@ -3681,7 +3681,7 @@ static int vfio_initfn(PCIDevice *pdev) > > strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1); > > - len = readlink(path, iommu_group_path, PATH_MAX); > + len = readlink(path, iommu_group_path, PATH_MAX - 1); > if (len <= 0) { > error_report("vfio: error no iommu_group for device"); > return -errno; "sizeof(iommu_group_path) - 1" would be slightly better, I think, but PATH_MAX - 1 works too. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> (cc stable?) thanks -- PMM ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely 2014-02-21 16:42 ` [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster 2014-02-21 16:47 ` Peter Maydell @ 2014-02-21 17:17 ` Alex Williamson 2014-02-24 14:04 ` Markus Armbruster 1 sibling, 1 reply; 8+ messages in thread From: Alex Williamson @ 2014-02-21 17:17 UTC (permalink / raw) To: Markus Armbruster; +Cc: qemu-devel On Fri, 2014-02-21 at 17:42 +0100, Markus Armbruster wrote: > readlink() returns the number of bytes written to the buffer, and it > doesn't write a terminating null byte. vfio_init() writes it itself. > Overruns the buffer when readlink() filled it completely. > > Fix by reserving space for the null byte when calling readlink(), like > we do elsewhere. > > Spotted by Coverity. > > Signed-off-by: Markus Armbruster <armbru@redhat.com> > --- > hw/misc/vfio.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c > index 8db182f..8e56785 100644 > --- a/hw/misc/vfio.c > +++ b/hw/misc/vfio.c > @@ -3681,7 +3681,7 @@ static int vfio_initfn(PCIDevice *pdev) > > strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1); > > - len = readlink(path, iommu_group_path, PATH_MAX); > + len = readlink(path, iommu_group_path, PATH_MAX - 1); > if (len <= 0) { > error_report("vfio: error no iommu_group for device"); > return -errno; I'm not sure why we wouldn't follow the same logic as pci-assign here. If we fill to the length provided we have no idea if we have the full path. We certainly expect it to fit well within PATH_MAX, so let's handle it as an error if we reach PATH_MAX. Thanks, Alex ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely 2014-02-21 17:17 ` Alex Williamson @ 2014-02-24 14:04 ` Markus Armbruster 0 siblings, 0 replies; 8+ messages in thread From: Markus Armbruster @ 2014-02-24 14:04 UTC (permalink / raw) To: Alex Williamson; +Cc: qemu-devel Alex Williamson <alex.williamson@redhat.com> writes: > On Fri, 2014-02-21 at 17:42 +0100, Markus Armbruster wrote: >> readlink() returns the number of bytes written to the buffer, and it >> doesn't write a terminating null byte. vfio_init() writes it itself. >> Overruns the buffer when readlink() filled it completely. >> >> Fix by reserving space for the null byte when calling readlink(), like >> we do elsewhere. >> >> Spotted by Coverity. >> >> Signed-off-by: Markus Armbruster <armbru@redhat.com> >> --- >> hw/misc/vfio.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c >> index 8db182f..8e56785 100644 >> --- a/hw/misc/vfio.c >> +++ b/hw/misc/vfio.c >> @@ -3681,7 +3681,7 @@ static int vfio_initfn(PCIDevice *pdev) >> >> strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1); >> >> - len = readlink(path, iommu_group_path, PATH_MAX); >> + len = readlink(path, iommu_group_path, PATH_MAX - 1); >> if (len <= 0) { >> error_report("vfio: error no iommu_group for device"); >> return -errno; > > I'm not sure why we wouldn't follow the same logic as pci-assign here. > If we fill to the length provided we have no idea if we have the full > path. We certainly expect it to fit well within PATH_MAX, so let's > handle it as an error if we reach PATH_MAX. Thanks, Fair point. v2 sent. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY 2014-02-21 16:42 [Qemu-devel] [PATCH 0/2] Two buffer overruns in device assignment Markus Armbruster 2014-02-21 16:42 ` [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster @ 2014-02-21 16:42 ` Markus Armbruster 2014-02-21 16:51 ` Peter Maydell 1 sibling, 1 reply; 8+ messages in thread From: Markus Armbruster @ 2014-02-21 16:42 UTC (permalink / raw) To: qemu-devel; +Cc: alex.williamson readlink() doesn't write a terminating null byte. assign_failed_examine() passes the unterminated string to strrchr(). Oops. Terminate it. Spotted by Coverity. Signed-off-by: Markus Armbruster <armbru@redhat.com> --- hw/i386/kvm/pci-assign.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c index 9686801..a825871 100644 --- a/hw/i386/kvm/pci-assign.c +++ b/hw/i386/kvm/pci-assign.c @@ -743,6 +743,7 @@ static void assign_failed_examine(AssignedDevice *dev) goto fail; } + driver[r] = 0; ns = strrchr(driver, '/'); if (!ns) { goto fail; -- 1.8.1.4 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY 2014-02-21 16:42 ` [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster @ 2014-02-21 16:51 ` Peter Maydell 2014-02-21 16:55 ` Peter Maydell 0 siblings, 1 reply; 8+ messages in thread From: Peter Maydell @ 2014-02-21 16:51 UTC (permalink / raw) To: Markus Armbruster; +Cc: Alex Williamson, QEMU Developers On 21 February 2014 16:42, Markus Armbruster <armbru@redhat.com> wrote: > readlink() doesn't write a terminating null byte. > assign_failed_examine() passes the unterminated string to strrchr(). > Oops. Terminate it. > > Spotted by Coverity. > > Signed-off-by: Markus Armbruster <armbru@redhat.com> > --- > hw/i386/kvm/pci-assign.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c > index 9686801..a825871 100644 > --- a/hw/i386/kvm/pci-assign.c > +++ b/hw/i386/kvm/pci-assign.c > @@ -743,6 +743,7 @@ static void assign_failed_examine(AssignedDevice *dev) > goto fail; > } > > + driver[r] = 0; This will write off the end of the buffer if readlink() filled it completely, won't it? I think you also need to change the readlink() 3rd argument to "sizeof(driver) - 1". thanks -- PMM ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY 2014-02-21 16:51 ` Peter Maydell @ 2014-02-21 16:55 ` Peter Maydell 0 siblings, 0 replies; 8+ messages in thread From: Peter Maydell @ 2014-02-21 16:55 UTC (permalink / raw) To: Markus Armbruster; +Cc: Alex Williamson, QEMU Developers On 21 February 2014 16:51, Peter Maydell <peter.maydell@linaro.org> wrote: > On 21 February 2014 16:42, Markus Armbruster <armbru@redhat.com> wrote: >> readlink() doesn't write a terminating null byte. >> assign_failed_examine() passes the unterminated string to strrchr(). >> Oops. Terminate it. >> >> Spotted by Coverity. >> >> Signed-off-by: Markus Armbruster <armbru@redhat.com> >> --- >> hw/i386/kvm/pci-assign.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c >> index 9686801..a825871 100644 >> --- a/hw/i386/kvm/pci-assign.c >> +++ b/hw/i386/kvm/pci-assign.c >> @@ -743,6 +743,7 @@ static void assign_failed_examine(AssignedDevice *dev) >> goto fail; >> } >> >> + driver[r] = 0; > > This will write off the end of the buffer if readlink() > filled it completely, won't it? I think you also need > to change the readlink() 3rd argument to "sizeof(driver) - 1". Apologies for this aspersion -- we check for "r == sizeof(driver)" and bail out before we get here, so the patch is ok. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> thanks -- PMM ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-02-24 14:13 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-02-21 16:42 [Qemu-devel] [PATCH 0/2] Two buffer overruns in device assignment Markus Armbruster 2014-02-21 16:42 ` [Qemu-devel] [PATCH 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster 2014-02-21 16:47 ` Peter Maydell 2014-02-21 17:17 ` Alex Williamson 2014-02-24 14:04 ` Markus Armbruster 2014-02-21 16:42 ` [Qemu-devel] [PATCH 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster 2014-02-21 16:51 ` Peter Maydell 2014-02-21 16:55 ` Peter Maydell
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).