From: Markus Armbruster <armbru@redhat.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Michael Roth <mdroth@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PULL 01/40] target-ppc: Document TOCTTOU in hugepage support
Date: Fri, 18 Mar 2016 18:00:48 +0100 [thread overview]
Message-ID: <1458320487-19603-2-git-send-email-armbru@redhat.com> (raw)
In-Reply-To: <1458320487-19603-1-git-send-email-armbru@redhat.com>
The code to find the minimum page size is is vulnerable to TOCTTOU.
Added in commit 2d103aa "target-ppc: fix hugepage support when using
memory-backend-file" (v2.4.0). Since I can't fix it myself right now,
add a FIXME comment.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <1458066895-20632-2-git-send-email-armbru@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
target-ppc/kvm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index 776336b..2fc9931 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -333,6 +333,12 @@ static long gethugepagesize(const char *mem_path)
return fs.f_bsize;
}
+/*
+ * FIXME TOCTTOU: this iterates over memory backends' mem-path, which
+ * may or may not name the same files / on the same filesystem now as
+ * when we actually open and map them. Iterate over the file
+ * descriptors instead, and use qemu_fd_getpagesize().
+ */
static int find_max_supported_pagesize(Object *obj, void *opaque)
{
char *mem_path;
--
2.4.3
next prev parent reply other threads:[~2016-03-18 17:01 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-18 17:00 [Qemu-devel] [PULL 00/40] ivshmem: Fixes, cleanups, device model split Markus Armbruster
2016-03-18 17:00 ` Markus Armbruster [this message]
2016-03-18 17:00 ` [Qemu-devel] [PULL 02/40] ivshmem-server: Fix and clean up command line help Markus Armbruster
2016-03-18 17:00 ` [Qemu-devel] [PULL 03/40] ivshmem-server: Don't overload POSIX shmem and file name Markus Armbruster
2016-03-18 17:00 ` [Qemu-devel] [PULL 04/40] qemu-doc: Fix ivshmem huge page example Markus Armbruster
2016-03-18 17:00 ` [Qemu-devel] [PULL 05/40] event_notifier: Make event_notifier_init_fd() #ifdef CONFIG_EVENTFD Markus Armbruster
2016-03-18 17:00 ` [Qemu-devel] [PULL 06/40] tests/libqos/pci-pc: Fix qpci_pc_iomap() to map BARs aligned Markus Armbruster
2016-03-18 17:00 ` [Qemu-devel] [PULL 07/40] ivshmem-test: Improve test case /ivshmem/single Markus Armbruster
2016-03-18 17:00 ` [Qemu-devel] [PULL 08/40] ivshmem-test: Clean up wait for devices to become operational Markus Armbruster
2016-03-18 17:00 ` [Qemu-devel] [PULL 09/40] ivshmem-test: Improve test cases /ivshmem/server-* Markus Armbruster
2016-03-18 17:00 ` [Qemu-devel] [PULL 10/40] ivshmem: Rewrite specification document Markus Armbruster
2016-03-18 17:00 ` [Qemu-devel] [PULL 11/40] ivshmem: Add missing newlines to debug printfs Markus Armbruster
2016-03-18 17:00 ` [Qemu-devel] [PULL 12/40] ivshmem: Compile debug prints unconditionally to prevent bit-rot Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 13/40] ivshmem: Clean up after commit 9940c32 Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 14/40] ivshmem: Drop ivshmem_event() stub Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 15/40] ivshmem: Don't destroy the chardev on version mismatch Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 16/40] ivshmem: Fix harmless misuse of Error Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 17/40] ivshmem: Failed realize() can leave migration blocker behind Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 18/40] ivshmem: Clean up register callbacks Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 19/40] ivshmem: Clean up MSI-X conditions Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 20/40] ivshmem: Leave INTx alone when using MSI-X Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 21/40] ivshmem: Assert interrupts are set up once Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 22/40] ivshmem: Simplify rejection of invalid peer ID from server Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 23/40] ivshmem: Disentangle ivshmem_read() Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 24/40] ivshmem: Plug leaks on unplug, fix peer disconnect Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 25/40] ivshmem: Receive shared memory synchronously in realize() Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 26/40] ivshmem: Propagate errors through ivshmem_recv_setup() Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 27/40] ivshmem: Rely on server sending the ID right after the version Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 28/40] ivshmem: Drop the hackish test for UNIX domain chardev Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 29/40] ivshmem: Simplify how we cope with short reads from server Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 30/40] ivshmem: Tighten check of property "size" Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 31/40] ivshmem: Implement shm=... with a memory backend Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 32/40] ivshmem: Simplify memory regions for BAR 2 (shared memory) Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 33/40] ivshmem: Inline check_shm_size() into its only caller Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 34/40] qdev: New DEFINE_PROP_ON_OFF_AUTO Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 35/40] ivshmem: Replace int role_val by OnOffAuto master Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 36/40] ivshmem: Split ivshmem-plain, ivshmem-doorbell off ivshmem Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 37/40] ivshmem: Clean up after the previous commit Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 38/40] ivshmem: Drop ivshmem property x-memdev Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 39/40] ivshmem: Require master to have ID zero Markus Armbruster
2016-03-18 17:01 ` [Qemu-devel] [PULL 40/40] contrib/ivshmem-server: Print "not for production" warning Markus Armbruster
2016-03-21 9:45 ` [Qemu-devel] [PULL 00/40] ivshmem: Fixes, cleanups, device model split Peter Maydell
2016-03-21 10:05 ` Markus Armbruster
2016-03-21 10:18 ` Peter Maydell
2016-03-21 11:52 ` Markus Armbruster
2016-03-21 12:11 ` Markus Armbruster
2016-03-28 6:02 ` Marcel Apfelbaum
2016-03-28 6:38 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1458320487-19603-2-git-send-email-armbru@redhat.com \
--to=armbru@redhat.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).