From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Nwbod-00052P-SJ for qemu-devel@nongnu.org; Tue, 30 Mar 2010 09:49:11 -0400 Received: from [140.186.70.92] (port=47292 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Nwboc-00051o-FB for qemu-devel@nongnu.org; Tue, 30 Mar 2010 09:49:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1Nwboa-0002OM-Tm for qemu-devel@nongnu.org; Tue, 30 Mar 2010 09:49:10 -0400 Received: from mx1.redhat.com ([209.132.183.28]:5042) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Nwboa-0002O1-Lc for qemu-devel@nongnu.org; Tue, 30 Mar 2010 09:49:08 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2UDn5gq017237 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 30 Mar 2010 09:49:05 -0400 Date: Tue, 30 Mar 2010 19:17:38 +0530 From: Amit Shah Message-ID: <20100330134738.GA4365@amit-x200.redhat.com> References: <1269442173-18421-7-git-send-email-amit.shah@redhat.com> <1269442173-18421-8-git-send-email-amit.shah@redhat.com> <1269442173-18421-9-git-send-email-amit.shah@redhat.com> <1269442173-18421-10-git-send-email-amit.shah@redhat.com> <1269442173-18421-11-git-send-email-amit.shah@redhat.com> <1269442173-18421-12-git-send-email-amit.shah@redhat.com> <1269442173-18421-13-git-send-email-amit.shah@redhat.com> <1269442173-18421-14-git-send-email-amit.shah@redhat.com> <1269442173-18421-15-git-send-email-amit.shah@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: [Qemu-devel] Re: [PATCH 14/15] virtio-serial: Handle scatter-gather buffers for control messages List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Juan Quintela Cc: Avi Kivity , Gerd Hoffmann , qemu list , "Michael S. Tsirkin" On (Tue) Mar 30 2010 [15:44:21], Juan Quintela wrote: > Amit Shah wrote: > > Current control messages are small enough to not be split into multiple > > buffers but we could run into such a situation in the future or a > > malicious guest could cause such a situation. > > > > So handle the entire iov request for control messages. > > > > Also ensure the size of the control request is >= what we expect > > otherwise we risk accessing memory that we don't own. > > > > Signed-off-by: Amit Shah > > CC: Avi Kivity > > Reported-by: Avi Kivity > > --- > > hw/virtio-serial-bus.c | 34 +++++++++++++++++++++++++++++++--- > > 1 files changed, 31 insertions(+), 3 deletions(-) > > > > diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c > > index bd1223e..3edfeca 100644 > > vser = DO_UPCAST(VirtIOSerial, vdev, vdev); > > > > + len = 0; > > + buf = NULL; > > while (virtqueue_pop(vq, &elem)) { > > - handle_control_message(vser, elem.out_sg[0].iov_base); > > - virtqueue_push(vq, &elem, elem.out_sg[0].iov_len); > > + size_t cur_len, copied; > > + > > + cur_len = iov_size(elem.out_sg, elem.out_num); > > + /* > > + * Allocate a new buf only if we didn't have one previously or > > + * if the size of the buf differs > > + */ > > + if (cur_len != len) { > > + if (len) { > > + qemu_free(buf); > > + } > > + buf = qemu_malloc(cur_len); > > + len = cur_len; > > + } > > This can be simplified to only allocate the buffer if it is less no? Currently all the control messages are the same size, sizeof(struct virtio_console_control), so it wouldn't matter. But I guess this could be done, just have to ensure we don't leak data meant for one control message to another. Amit