[Qemu-devel] [PULL 0/2] 9pfs fixes for 2.9 2017-03-28

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PULL 0/2] 9pfs fixes for 2.9 2017-03-28
@ 2017-03-28  8:46 Greg Kurz
  2017-03-28  8:46 ` [Qemu-devel] [PULL 1/2] 9pfs: fix file descriptor leak Greg Kurz
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Greg Kurz @ 2017-03-28  8:46 UTC (permalink / raw)
  To: qemu-devel; +Cc: Peter Maydell, Greg Kurz

The following changes since commit eb06c9e2d3c8f026a206e8402b0ffa201060ec8e:

  Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2017-03-27 17:34:50 +0100)

are available in the git repository at:

  https://github.com/gkurz/qemu.git tags/for-upstream

for you to fetch changes up to 34ef723ce34aaa14f94530c06a0ab3170a19bb59:

  tests/virtio-9p-test: Don't call le*_to_cpus on fields of packed struct (2017-03-27 21:15:31 +0200)

----------------------------------------------------------------
This series fixes potential memory/fd leaks in 9pfs and a crash when
running tests/virtio-9p-test on SPARC hosts.

----------------------------------------------------------------
Li Qiang (1):
      9pfs: fix file descriptor leak

Peter Maydell (1):
      tests/virtio-9p-test: Don't call le*_to_cpus on fields of packed struct

 hw/9pfs/9p.c           | 8 ++++++++
 tests/virtio-9p-test.c | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)
-- 
2.7.4

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Qemu-devel] [PULL 1/2] 9pfs: fix file descriptor leak
  2017-03-28  8:46 [Qemu-devel] [PULL 0/2] 9pfs fixes for 2.9 2017-03-28 Greg Kurz
@ 2017-03-28  8:46 ` Greg Kurz
  2017-03-28  8:46 ` [Qemu-devel] [PULL 2/2] tests/virtio-9p-test: Don't call le*_to_cpus on fields of packed struct Greg Kurz
  2017-03-28  9:41 ` [Qemu-devel] [PULL 0/2] 9pfs fixes for 2.9 2017-03-28 Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Greg Kurz @ 2017-03-28  8:46 UTC (permalink / raw)
  To: qemu-devel; +Cc: Peter Maydell, Greg Kurz, Li Qiang, Li Qiang

From: Li Qiang <liq3ea@gmail.com>

The v9fs_create() and v9fs_lcreate() functions are used to create a file
on the backend and to associate it to a fid. The fid shouldn't be already
in-use, otherwise both functions may silently leak a file descriptor or
allocated memory. The current code doesn't check that.

This patch ensures that the fid isn't already associated to anything
before using it.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
(reworded the changelog, Greg Kurz)
Signed-off-by: Greg Kurz <groug@kaod.org>
---
 hw/9pfs/9p.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index b8c0b993580c..48babce836b6 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1550,6 +1550,10 @@ static void coroutine_fn v9fs_lcreate(void *opaque)
         err = -ENOENT;
         goto out_nofid;
     }
+    if (fidp->fid_type != P9_FID_NONE) {
+        err = -EINVAL;
+        goto out;
+    }
 
     flags = get_dotl_openflags(pdu->s, flags);
     err = v9fs_co_open2(pdu, fidp, &name, gid,
@@ -2153,6 +2157,10 @@ static void coroutine_fn v9fs_create(void *opaque)
         err = -EINVAL;
         goto out_nofid;
     }
+    if (fidp->fid_type != P9_FID_NONE) {
+        err = -EINVAL;
+        goto out;
+    }
     if (perm & P9_STAT_MODE_DIR) {
         err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777,
                             fidp->uid, -1, &stbuf);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [Qemu-devel] [PULL 2/2] tests/virtio-9p-test: Don't call le*_to_cpus on fields of packed struct
  2017-03-28  8:46 [Qemu-devel] [PULL 0/2] 9pfs fixes for 2.9 2017-03-28 Greg Kurz
  2017-03-28  8:46 ` [Qemu-devel] [PULL 1/2] 9pfs: fix file descriptor leak Greg Kurz
@ 2017-03-28  8:46 ` Greg Kurz
  2017-03-28  9:41 ` [Qemu-devel] [PULL 0/2] 9pfs fixes for 2.9 2017-03-28 Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Greg Kurz @ 2017-03-28  8:46 UTC (permalink / raw)
  To: qemu-devel; +Cc: Peter Maydell, Greg Kurz

From: Peter Maydell <peter.maydell@linaro.org>

For a packed struct like 'P9Hdr' the fields within it may not be
aligned as much as the natural alignment for their types.  This means
it is not valid to pass the address of such a field to a function
like le32_to_cpus() which operate on uint32_t* and assume alignment.
Doing this results in a SIGBUS on hosts like SPARC which have strict
alignment requirements.

Use ldl_le_p() instead, which is specified to correctly handle
unaligned pointers.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
---
 tests/virtio-9p-test.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/virtio-9p-test.c b/tests/virtio-9p-test.c
index 43a1ad813fda..ad33d963876f 100644
--- a/tests/virtio-9p-test.c
+++ b/tests/virtio-9p-test.c
@@ -256,8 +256,8 @@ static void v9fs_req_recv(P9Req *req, uint8_t id)
         qvirtio_wait_queue_isr(v9p->dev, v9p->vq, 1000 * 1000);
 
         v9fs_memread(req, &hdr, 7);
-        le32_to_cpus(&hdr.size);
-        le16_to_cpus(&hdr.tag);
+        hdr.size = ldl_le_p(&hdr.size);
+        hdr.tag = lduw_le_p(&hdr.tag);
         if (hdr.size >= 7) {
             break;
         }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [Qemu-devel] [PULL 0/2] 9pfs fixes for 2.9 2017-03-28
  2017-03-28  8:46 [Qemu-devel] [PULL 0/2] 9pfs fixes for 2.9 2017-03-28 Greg Kurz
  2017-03-28  8:46 ` [Qemu-devel] [PULL 1/2] 9pfs: fix file descriptor leak Greg Kurz
  2017-03-28  8:46 ` [Qemu-devel] [PULL 2/2] tests/virtio-9p-test: Don't call le*_to_cpus on fields of packed struct Greg Kurz
@ 2017-03-28  9:41 ` Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2017-03-28  9:41 UTC (permalink / raw)
  To: Greg Kurz; +Cc: QEMU Developers

On 28 March 2017 at 09:46, Greg Kurz <groug@kaod.org> wrote:
> The following changes since commit eb06c9e2d3c8f026a206e8402b0ffa201060ec8e:
>
>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2017-03-27 17:34:50 +0100)
>
> are available in the git repository at:
>
>   https://github.com/gkurz/qemu.git tags/for-upstream
>
> for you to fetch changes up to 34ef723ce34aaa14f94530c06a0ab3170a19bb59:
>
>   tests/virtio-9p-test: Don't call le*_to_cpus on fields of packed struct (2017-03-27 21:15:31 +0200)
>
> ----------------------------------------------------------------
> This series fixes potential memory/fd leaks in 9pfs and a crash when
> running tests/virtio-9p-test on SPARC hosts.
>
> ----------------------------------------------------------------
> Li Qiang (1):
>       9pfs: fix file descriptor leak
>
> Peter Maydell (1):
>       tests/virtio-9p-test: Don't call le*_to_cpus on fields of packed struct

Applied, thanks.

-- PMM

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-03-28  9:41 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-28  8:46 [Qemu-devel] [PULL 0/2] 9pfs fixes for 2.9 2017-03-28 Greg Kurz
2017-03-28  8:46 ` [Qemu-devel] [PULL 1/2] 9pfs: fix file descriptor leak Greg Kurz
2017-03-28  8:46 ` [Qemu-devel] [PULL 2/2] tests/virtio-9p-test: Don't call le*_to_cpus on fields of packed struct Greg Kurz
2017-03-28  9:41 ` [Qemu-devel] [PULL 0/2] 9pfs fixes for 2.9 2017-03-28 Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).