From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Cc: Riku Voipio <riku.voipio@iki.fi>, patches@linaro.org
Subject: [Qemu-devel] [PATCH 1/2] linux-user: Fix length handling in host_to_target_cmsg
Date: Tue, 26 May 2015 19:46:31 +0100 [thread overview]
Message-ID: <1432665992-32622-2-git-send-email-peter.maydell@linaro.org> (raw)
In-Reply-To: <1432665992-32622-1-git-send-email-peter.maydell@linaro.org>
The previous code for handling payload length when converting
cmsg structures from host to target had a number of problems:
* we required the msg->msg_controllen to declare the buffer
to have enough space for final trailing padding (we were
checking against CMSG_SPACE), whereas the kernel does not
require this, and common userspace code assumes this. (In
particular, glibc's "try to talk to nscd" code that it will
run on startup will receive a cmsg with a 4 byte payload and
only allocate 4 bytes for it, which was causing us to do
the wrong thing on architectures that need 8-alignment.)
* we weren't correctly handling the fact that the SO_TIMESTAMP
payload may be larger for the target than the host
* we weren't marking the messages with MSG_CTRUNC when we did
need to truncate a message that wasn't truncated by the host,
but were instead logging a QEMU message; since truncation is
always the result of a guest giving us an insufficiently
sized buffer, we should report it to the guest as the kernel
does and don't log anything
Rewrite the parts of the function that deal with length to
fix these issues, and add a comment in target_to_host_cmsg
to explain why the overflow logging it does is a QEMU bug,
not a guest issue.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
linux-user/syscall.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 61 insertions(+), 8 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 1622ad6..3db6a90 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1202,6 +1202,15 @@ static inline abi_long target_to_host_cmsg(struct msghdr *msgh,
space += CMSG_SPACE(len);
if (space > msgh->msg_controllen) {
space -= CMSG_SPACE(len);
+ /* This is a QEMU bug, since we allocated the payload
+ * area ourselves (unlike overflow in host-to-target
+ * conversion, which is just the guest giving us a buffer
+ * that's too small). It can't happen for the payload types
+ * we currently support; if it becomes an issue in future
+ * we would need to improve our allocation strategy to
+ * something more intelligent than "twice the size of the
+ * target buffer we're reading from".
+ */
gemu_log("Host cmsg overflow\n");
break;
}
@@ -1267,11 +1276,16 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh,
void *target_data = TARGET_CMSG_DATA(target_cmsg);
int len = cmsg->cmsg_len - CMSG_ALIGN(sizeof (struct cmsghdr));
+ int tgt_len, tgt_space;
- space += TARGET_CMSG_SPACE(len);
- if (space > msg_controllen) {
- space -= TARGET_CMSG_SPACE(len);
- gemu_log("Target cmsg overflow\n");
+ /* We never copy a half-header but may copy half-data;
+ * this is Linux's behaviour in put_cmsg(). Note that
+ * truncation here is a guest problem (which we report
+ * to the guest via the CTRUNC bit), unlike truncation
+ * in target_to_host_cmsg, which is a QEMU bug.
+ */
+ if (msg_controllen < sizeof(struct cmsghdr)) {
+ target_msgh->msg_flags |= tswap32(MSG_CTRUNC);
break;
}
@@ -1281,8 +1295,35 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh,
target_cmsg->cmsg_level = tswap32(cmsg->cmsg_level);
}
target_cmsg->cmsg_type = tswap32(cmsg->cmsg_type);
- target_cmsg->cmsg_len = tswapal(TARGET_CMSG_LEN(len));
+ tgt_len = TARGET_CMSG_LEN(len);
+
+ /* Payload types which need a different size of payload on
+ * the target must adjust tgt_len here.
+ */
+ switch (cmsg->cmsg_level) {
+ case SOL_SOCKET:
+ switch (cmsg->cmsg_type) {
+ case SO_TIMESTAMP:
+ tgt_len = sizeof(struct target_timeval);
+ break;
+ default:
+ break;
+ }
+ default:
+ break;
+ }
+
+ if (msg_controllen < tgt_len) {
+ target_msgh->msg_flags |= tswap32(MSG_CTRUNC);
+ tgt_len = msg_controllen;
+ }
+
+ /* We must now copy-and-convert len bytes of payload
+ * into tgt_len bytes of destination space. Bear in mind
+ * that in both source and destination we may be dealing
+ * with a truncated value!
+ */
switch (cmsg->cmsg_level) {
case SOL_SOCKET:
switch (cmsg->cmsg_type) {
@@ -1290,7 +1331,7 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh,
{
int *fd = (int *)data;
int *target_fd = (int *)target_data;
- int i, numfds = len / sizeof(int);
+ int i, numfds = tgt_len / sizeof(int);
for (i = 0; i < numfds; i++)
target_fd[i] = tswap32(fd[i]);
@@ -1302,8 +1343,10 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh,
struct target_timeval *target_tv =
(struct target_timeval *)target_data;
- if (len != sizeof(struct timeval))
+ if (len != sizeof(struct timeval) ||
+ tgt_len != sizeof(struct target_timeval)) {
goto unimplemented;
+ }
/* copy struct timeval to target */
target_tv->tv_sec = tswapal(tv->tv_sec);
@@ -1330,9 +1373,19 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh,
unimplemented:
gemu_log("Unsupported ancillary data: %d/%d\n",
cmsg->cmsg_level, cmsg->cmsg_type);
- memcpy(target_data, data, len);
+ memcpy(target_data, data, MIN(len, tgt_len));
+ if (tgt_len > len) {
+ memset(target_data + len, 0, tgt_len - len);
+ }
}
+ target_cmsg->cmsg_len = tswapal(tgt_len);
+ tgt_space = TARGET_CMSG_SPACE(tgt_len);
+ if (msg_controllen < tgt_space) {
+ tgt_space = msg_controllen;
+ }
+ msg_controllen -= tgt_space;
+ space += tgt_space;
cmsg = CMSG_NXTHDR(msgh, cmsg);
target_cmsg = TARGET_CMSG_NXTHDR(target_msgh, target_cmsg);
}
--
1.9.1
next prev parent reply other threads:[~2015-05-26 18:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-26 18:46 [Qemu-devel] [PATCH 0/2] linux-user: Fix length handling in cmsg conversions Peter Maydell
2015-05-26 18:46 ` Peter Maydell [this message]
2015-05-26 18:46 ` [Qemu-devel] [PATCH 2/2] linux-user: use __get_user and __put_user " Peter Maydell
2015-06-05 15:03 ` [Qemu-devel] [PATCH 0/2] linux-user: Fix length handling " Peter Maydell
2015-06-06 10:07 ` Riku Voipio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1432665992-32622-2-git-send-email-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=patches@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=riku.voipio@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).