From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH 16/88] tests: add QMP input visitor test for unions with no discriminator
Date: Thu, 8 Jan 2015 11:33:20 -0600 [thread overview]
Message-ID: <1420738472-23267-17-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1420738472-23267-1-git-send-email-mdroth@linux.vnet.ibm.com>
This is more of an exercise of the dealloc visitor, where it may
erroneously use an uninitialized discriminator field as indication
that union fields corresponding to that discriminator field/type are
present, which can lead to attempts to free random chunks of heap
memory.
Cc: qemu-stable@nongnu.org
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
(cherry picked from commit cb55111b4e425fa3279302fa7306b9a3d5164ff4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
tests/qapi-schema/qapi-schema-test.json | 10 ++++++++++
tests/qapi-schema/qapi-schema-test.out | 3 +++
tests/test-qmp-input-strict.c | 17 +++++++++++++++++
3 files changed, 30 insertions(+)
diff --git a/tests/qapi-schema/qapi-schema-test.json b/tests/qapi-schema/qapi-schema-test.json
index ab4d3d9..d43b5fd 100644
--- a/tests/qapi-schema/qapi-schema-test.json
+++ b/tests/qapi-schema/qapi-schema-test.json
@@ -33,6 +33,9 @@
{ 'type': 'UserDefB',
'data': { 'integer': 'int' } }
+{ 'type': 'UserDefC',
+ 'data': { 'string1': 'str', 'string2': 'str' } }
+
{ 'union': 'UserDefUnion',
'base': 'UserDefZero',
'data': { 'a' : 'UserDefA', 'b' : 'UserDefB' } }
@@ -47,6 +50,13 @@
# FIXME generated struct UserDefFlatUnion has members for direct base
# UserDefOne, but lacks members for indirect base UserDefZero
+# this variant of UserDefFlatUnion defaults to a union that uses fields with
+# allocated types to test corner cases in the cleanup/dealloc visitor
+{ 'union': 'UserDefFlatUnion2',
+ 'base': 'UserDefUnionBase',
+ 'discriminator': 'enum1',
+ 'data': { 'value1' : 'UserDefC', 'value2' : 'UserDefB', 'value3' : 'UserDefA' } }
+
{ 'union': 'UserDefAnonUnion',
'discriminator': {},
'data': { 'uda': 'UserDefA', 's': 'str', 'i': 'int' } }
diff --git a/tests/qapi-schema/qapi-schema-test.out b/tests/qapi-schema/qapi-schema-test.out
index 95e9899..08d7304 100644
--- a/tests/qapi-schema/qapi-schema-test.out
+++ b/tests/qapi-schema/qapi-schema-test.out
@@ -6,9 +6,11 @@
OrderedDict([('type', 'UserDefNested'), ('data', OrderedDict([('string0', 'str'), ('dict1', OrderedDict([('string1', 'str'), ('dict2', OrderedDict([('userdef1', 'UserDefOne'), ('string2', 'str')])), ('*dict3', OrderedDict([('userdef2', 'UserDefOne'), ('string3', 'str')]))]))]))]),
OrderedDict([('type', 'UserDefA'), ('data', OrderedDict([('boolean', 'bool')]))]),
OrderedDict([('type', 'UserDefB'), ('data', OrderedDict([('integer', 'int')]))]),
+ OrderedDict([('type', 'UserDefC'), ('data', OrderedDict([('string1', 'str'), ('string2', 'str')]))]),
OrderedDict([('union', 'UserDefUnion'), ('base', 'UserDefZero'), ('data', OrderedDict([('a', 'UserDefA'), ('b', 'UserDefB')]))]),
OrderedDict([('type', 'UserDefUnionBase'), ('data', OrderedDict([('string', 'str'), ('enum1', 'EnumOne')]))]),
OrderedDict([('union', 'UserDefFlatUnion'), ('base', 'UserDefUnionBase'), ('discriminator', 'enum1'), ('data', OrderedDict([('value1', 'UserDefA'), ('value2', 'UserDefB'), ('value3', 'UserDefB')]))]),
+ OrderedDict([('union', 'UserDefFlatUnion2'), ('base', 'UserDefUnionBase'), ('discriminator', 'enum1'), ('data', OrderedDict([('value1', 'UserDefC'), ('value2', 'UserDefB'), ('value3', 'UserDefA')]))]),
OrderedDict([('union', 'UserDefAnonUnion'), ('discriminator', OrderedDict()), ('data', OrderedDict([('uda', 'UserDefA'), ('s', 'str'), ('i', 'int')]))]),
OrderedDict([('union', 'UserDefNativeListUnion'), ('data', OrderedDict([('integer', ['int']), ('s8', ['int8']), ('s16', ['int16']), ('s32', ['int32']), ('s64', ['int64']), ('u8', ['uint8']), ('u16', ['uint16']), ('u32', ['uint32']), ('u64', ['uint64']), ('number', ['number']), ('boolean', ['bool']), ('string', ['str'])]))]),
OrderedDict([('command', 'user_def_cmd'), ('data', OrderedDict())]),
@@ -32,6 +34,7 @@
OrderedDict([('type', 'UserDefNested'), ('data', OrderedDict([('string0', 'str'), ('dict1', OrderedDict([('string1', 'str'), ('dict2', OrderedDict([('userdef1', 'UserDefOne'), ('string2', 'str')])), ('*dict3', OrderedDict([('userdef2', 'UserDefOne'), ('string3', 'str')]))]))]))]),
OrderedDict([('type', 'UserDefA'), ('data', OrderedDict([('boolean', 'bool')]))]),
OrderedDict([('type', 'UserDefB'), ('data', OrderedDict([('integer', 'int')]))]),
+ OrderedDict([('type', 'UserDefC'), ('data', OrderedDict([('string1', 'str'), ('string2', 'str')]))]),
OrderedDict([('type', 'UserDefUnionBase'), ('data', OrderedDict([('string', 'str'), ('enum1', 'EnumOne')]))]),
OrderedDict([('type', 'UserDefOptions'), ('data', OrderedDict([('*i64', ['int']), ('*u64', ['uint64']), ('*u16', ['uint16']), ('*i64x', 'int'), ('*u64x', 'uint64')]))]),
OrderedDict([('type', 'EventStructOne'), ('data', OrderedDict([('struct1', 'UserDefOne'), ('string', 'str'), ('*enum2', 'EnumOne')]))])]
diff --git a/tests/test-qmp-input-strict.c b/tests/test-qmp-input-strict.c
index 0f77003..d5360c6 100644
--- a/tests/test-qmp-input-strict.c
+++ b/tests/test-qmp-input-strict.c
@@ -260,6 +260,21 @@ static void test_validate_fail_union_flat(TestInputVisitorData *data,
qapi_free_UserDefFlatUnion(tmp);
}
+static void test_validate_fail_union_flat_no_discrim(TestInputVisitorData *data,
+ const void *unused)
+{
+ UserDefFlatUnion2 *tmp = NULL;
+ Error *err = NULL;
+ Visitor *v;
+
+ /* test situation where discriminator field ('enum1' here) is missing */
+ v = validate_test_init(data, "{ 'string': 'c', 'string1': 'd', 'string2': 'e' }");
+
+ visit_type_UserDefFlatUnion2(v, &tmp, NULL, &err);
+ g_assert(err);
+ qapi_free_UserDefFlatUnion2(tmp);
+}
+
static void test_validate_fail_union_anon(TestInputVisitorData *data,
const void *unused)
{
@@ -310,6 +325,8 @@ int main(int argc, char **argv)
&testdata, test_validate_fail_union);
validate_test_add("/visitor/input-strict/fail/union-flat",
&testdata, test_validate_fail_union_flat);
+ validate_test_add("/visitor/input-strict/fail/union-flat-no-discriminator",
+ &testdata, test_validate_fail_union_flat_no_discrim);
validate_test_add("/visitor/input-strict/fail/union-anon",
&testdata, test_validate_fail_union_anon);
--
1.9.1
next prev parent reply other threads:[~2015-01-08 17:35 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-08 17:33 [Qemu-devel] Patch Round-up for stable 2.1.3, freeze on 2015-01-14 Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 01/88] qdev: Use NULL instead of local_err for qbus_child unrealize Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 02/88] qdev: Add cleanup logic in device_set_realized() to avoid resource leak Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 03/88] exec: file_ram_alloc(): print error when prealloc fails Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 04/88] xhci PCIe endpoint migration compatibility fix Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 05/88] Introduce cpu_clean_all_dirty Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 06/88] kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 07/88] kvmclock: Ensure time in migration never goes backward Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 08/88] kvmclock: Add comment explaining why we need cpu_clean_all_dirty() Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 09/88] pci: Use bus master address space for delivering MSI/MSI-X messages Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 10/88] virtio-pci: enable bus master for old guests Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 11/88] spapr_pci: map the MSI window in each PHB Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 12/88] hw/arm/virt: fix pl011 and pl031 irq flags Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 13/88] gdbstub: init mon_chr through qemu_chr_alloc Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 14/88] qapi: add visit_start_union and visit_end_union Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 15/88] qapi: dealloc visitor, implement visit_start_union Michael Roth
2015-01-08 17:33 ` Michael Roth [this message]
2015-01-08 17:33 ` [Qemu-devel] [PATCH 17/88] qemu-iotests: Test missing "driver" key for blockdev-add Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 18/88] monitor: Reset HMP mon->rs in CHR_EVENT_OPEN Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 19/88] virtio-balloon: fix integer overflow in memory stats feature Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 20/88] vhost-user: fix VIRTIO_NET_F_MRG_RXBUF negotiation Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 21/88] ivshmem: Check ivshmem_read() size argument Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 22/88] ivshmem: validate incoming_posn value from server Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 23/88] ivshmem: Fix potential OOB r/w access Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 24/88] ivshmem: Fix fd leak on error Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 25/88] pc-dimm: Don't check dimm->node when there is non-NUMA config Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 26/88] tests: avoid running duplicate qom-tests Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 27/88] snapshot: fix referencing wrong variable in while loop in do_delvm Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 28/88] smbios: Fix assertion on socket count calculation Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 29/88] vhost-scsi: use virtio_ldl_p Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 30/88] virtio-net: use aliases instead of duplicate qdev properties Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 31/88] virtio-net: fix virtio-net child refcount in transports Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 32/88] virtio/vhost-scsi: use aliases instead of duplicate qdev properties Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 33/88] virtio/vhost-scsi: fix virtio-scsi/vhost-scsi child refcount in transports Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 34/88] virtio-serial: use aliases instead of duplicate qdev properties Michael Roth
2015-05-11 15:21 ` Peter Maydell
2015-01-08 17:33 ` [Qemu-devel] [PATCH 35/88] virtio-serial: fix virtio-serial child refcount in transports Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 36/88] virtio-rng: use aliases instead of duplicate qdev properties Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 37/88] virtio-rng: fix virtio-rng child refcount in transports Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 38/88] virtio-balloon: fix virtio-balloon " Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 39/88] virtio-9p: use aliases instead of duplicate qdev properties Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 40/88] virtio-9p: fix virtio-9p child refcount in transports Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 41/88] pc: Fix disabling of vapic for compat PC models Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 42/88] vmware-vga: CVE-2014-3689: turn off hw accel Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 43/88] vmware-vga: add vmsvga_verify_rect Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 44/88] vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 45/88] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 46/88] vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 47/88] qcow2: Do not overflow when writing an L1 sector Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 48/88] libcacard: don't free sign buffer while sign op is pending Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 49/88] Make qemu_shutdown_requested signal-safe Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 50/88] vnc: sanitize bits_per_pixel from the client Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 51/88] virtio-scsi: sense in virtio_scsi_command_complete Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 52/88] tcg/mips: fix store softmmu slow path Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 53/88] hw/core/loader: implement address translation in uimage loader Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 54/88] hw/xtensa/xtfpga: treat uImage load address as virtual Michael Roth
2015-01-08 17:33 ` [Qemu-devel] [PATCH 55/88] snapshot: add bdrv_drain_all() to bdrv_snapshot_delete() to avoid concurrency problem Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 56/88] hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 (g_hash_table_iter_*) Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 57/88] esp-pci: fixup deadlock with linux Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 58/88] target-xtensa: add missing window check for entry Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 59/88] kvm: Fix memory slot page alignment logic Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 60/88] virtio-scsi: work around bug in old BIOSes Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 61/88] libcacard: fix resource leak Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 62/88] l2tpv3: fix possible double free Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 63/88] exec: Handle multipage ranges in invalidate_and_set_dirty() Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 64/88] hw/ide/core.c: Prevent SIGSEGV during migration Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 65/88] virtio-net: fix unmap leak Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 66/88] block: Make essential BlockDriver objects public Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 67/88] block: Omit bdrv_find_format for essential drivers Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 68/88] block/vvfat: qcow driver may not be found Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 69/88] block/nfs: Add create_opts Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 70/88] block: Check create_opts before image creation Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 71/88] qemu-img: " Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 72/88] qemu-img: Check create_opts before image amendment Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 73/88] iotests: Only kill NBD server if it runs Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 74/88] iotests: Add test for unsupported image creation Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 75/88] qcow2: Prevent numerical overflow Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 76/88] qcow2: Flushing the caches in qcow2_close may fail Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 77/88] qcow2: Respect bdrv_truncate() error Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 78/88] block/raw-posix: Fix ret in raw_open_common() Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 79/88] block migration: fix return value Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 80/88] qcow2: Fix header extension size check Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 81/88] qcow2.py: Add required padding for header extensions Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 82/88] block: Don't probe for unknown backing file format Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 83/88] linuxboot: compute initrd loading address Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 84/88] linuxboot: fix loading old kernels Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 85/88] audio: Don't free hw resources until after hw backend is stopped Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 86/88] target-xtensa: fix translation for opcodes crossing page boundary Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 87/88] target-xtensa: test cross-page opcode Michael Roth
2015-01-08 17:34 ` [Qemu-devel] [PATCH 88/88] pc: acpi: mark all possible CPUs as enabled in SRAT Michael Roth
2015-01-09 17:27 ` [Qemu-devel] Patch Round-up for stable 2.1.3, freeze on 2015-01-14 Marcel Apfelbaum
2015-01-09 22:42 ` Paolo Bonzini
2015-01-13 17:49 ` William Dauchy
2015-01-13 18:48 ` Marcel Apfelbaum
2015-01-13 19:53 ` Michael Roth
2015-01-13 20:40 ` Paolo Bonzini
2015-01-13 21:03 ` Michael Roth
2015-01-13 21:03 ` Michael Roth
2015-01-26 9:06 ` [Qemu-devel] [Qemu-stable] " Gonglei (Arei)
2015-01-13 19:55 ` Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1420738472-23267-17-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).