[Qemu-devel] [PULL 0/1] Fixes for QGA

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PULL 0/1] Fixes for QGA
@ 2014-10-22 12:59 Michael Roth
  2014-10-22 12:59 ` [Qemu-devel] [PATCH] qga: Rewrite code where using readdir_r Michael Roth
  2014-10-23  9:46 ` [Qemu-devel] [PULL 0/1] Fixes for QGA Peter Maydell
  0 siblings, 2 replies; 3+ messages in thread
From: Michael Roth @ 2014-10-22 12:59 UTC (permalink / raw)
  To: qemu-devel; +Cc: peter.maydell, zhang.zhanghailiang, qemu-stable

The following changes since commit 01a2050fa5fb3d290134b67ee82eb3ebbd91d95b:

  hw/i386/pc_q35.c: Avoid g_assert_cmpint() as it is not in glib 2.12 (2014-10-22 11:32:44 +0100)

are available in the git repository at:

  git://github.com/mdroth/qemu.git tags/qga-pull-2014-10-22-tag

for you to fetch changes up to e668d1b8545f1c79cf869bd78813cb1e52216f45:

  qga: Rewrite code where using readdir_r (2014-10-22 07:49:52 -0500)

----------------------------------------------------------------
qga: remove readdir_r usage and fix use-after-free

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

----------------------------------------------------------------
zhanghailiang (1):
      qga: Rewrite code where using readdir_r

 qga/commands-posix.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Qemu-devel] [PATCH] qga: Rewrite code where using readdir_r
  2014-10-22 12:59 [Qemu-devel] [PULL 0/1] Fixes for QGA Michael Roth
@ 2014-10-22 12:59 ` Michael Roth
  2014-10-23  9:46 ` [Qemu-devel] [PULL 0/1] Fixes for QGA Peter Maydell
  1 sibling, 0 replies; 3+ messages in thread
From: Michael Roth @ 2014-10-22 12:59 UTC (permalink / raw)
  To: qemu-devel; +Cc: peter.maydell, zhang.zhanghailiang, qemu-stable

From: zhanghailiang <zhang.zhanghailiang@huawei.com>

If readdir_r fails, error_setg_errno will reference the freed
pointer *dirpath*.

Moreover, readdir_r may cause a buffer overflow, using readdir instead.

Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qga/commands-posix.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/qga/commands-posix.c b/qga/commands-posix.c
index 7eed7f4..f6f3e3c 100644
--- a/qga/commands-posix.c
+++ b/qga/commands-posix.c
@@ -956,7 +956,7 @@ static void build_guest_fsinfo_for_virtual_device(char const *syspath,
 {
     DIR *dir;
     char *dirpath;
-    struct dirent entry, *result;
+    struct dirent *entry;
 
     dirpath = g_strdup_printf("%s/slaves", syspath);
     dir = opendir(dirpath);
@@ -965,22 +965,24 @@ static void build_guest_fsinfo_for_virtual_device(char const *syspath,
         g_free(dirpath);
         return;
     }
-    g_free(dirpath);
 
     for (;;) {
-        if (readdir_r(dir, &entry, &result) != 0) {
-            error_setg_errno(errp, errno, "readdir_r(\"%s\")", dirpath);
-            break;
-        }
-        if (!result) {
+        errno = 0;
+        entry = readdir(dir);
+        if (entry == NULL) {
+            if (errno) {
+                error_setg_errno(errp, errno, "readdir(\"%s\")", dirpath);
+            }
             break;
         }
 
-        if (entry.d_type == DT_LNK) {
-            g_debug(" slave device '%s'", entry.d_name);
-            dirpath = g_strdup_printf("%s/slaves/%s", syspath, entry.d_name);
-            build_guest_fsinfo_for_device(dirpath, fs, errp);
-            g_free(dirpath);
+        if (entry->d_type == DT_LNK) {
+            char *path;
+
+            g_debug(" slave device '%s'", entry->d_name);
+            path = g_strdup_printf("%s/slaves/%s", syspath, entry->d_name);
+            build_guest_fsinfo_for_device(path, fs, errp);
+            g_free(path);
 
             if (*errp) {
                 break;
@@ -988,6 +990,7 @@ static void build_guest_fsinfo_for_virtual_device(char const *syspath,
         }
     }
 
+    g_free(dirpath);
     closedir(dir);
 }
 
-- 
1.9.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PULL 0/1] Fixes for QGA
  2014-10-22 12:59 [Qemu-devel] [PULL 0/1] Fixes for QGA Michael Roth
  2014-10-22 12:59 ` [Qemu-devel] [PATCH] qga: Rewrite code where using readdir_r Michael Roth
@ 2014-10-23  9:46 ` Peter Maydell
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Maydell @ 2014-10-23  9:46 UTC (permalink / raw)
  To: Michael Roth; +Cc: qemu-stable, QEMU Developers, zhanghailiang

On 22 October 2014 13:59, Michael Roth <mdroth@linux.vnet.ibm.com> wrote:
> The following changes since commit 01a2050fa5fb3d290134b67ee82eb3ebbd91d95b:
>
>   hw/i386/pc_q35.c: Avoid g_assert_cmpint() as it is not in glib 2.12 (2014-10-22 11:32:44 +0100)
>
> are available in the git repository at:
>
>   git://github.com/mdroth/qemu.git tags/qga-pull-2014-10-22-tag
>
> for you to fetch changes up to e668d1b8545f1c79cf869bd78813cb1e52216f45:
>
>   qga: Rewrite code where using readdir_r (2014-10-22 07:49:52 -0500)
>
> ----------------------------------------------------------------
> qga: remove readdir_r usage and fix use-after-free
>
> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
>
> ----------------------------------------------------------------

Applied, thanks.

-- PMM

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2014-10-23  9:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-22 12:59 [Qemu-devel] [PULL 0/1] Fixes for QGA Michael Roth
2014-10-22 12:59 ` [Qemu-devel] [PATCH] qga: Rewrite code where using readdir_r Michael Roth
2014-10-23  9:46 ` [Qemu-devel] [PULL 0/1] Fixes for QGA Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).