Re: [Qemu-devel] [PATCH] acpi: fix file size check with -acpitable.

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Isaku Yamahata <yamahata@valinux.co.jp>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] acpi: fix file size check with -acpitable.
Date: Tue, 24 Aug 2010 14:06:06 +0900	[thread overview]
Message-ID: <20100824050606.GJ20428@valinux.co.jp> (raw)
In-Reply-To: <20100729090842.GL31169@valinux.co.jp>

ping.

On Thu, Jul 29, 2010 at 06:08:42PM +0900, Isaku Yamahata wrote:
> acpi table file can be modified during load so file size check
> should be more strict.
> pointer calculation should be after qemu_realloc(). not before realloc().
> 
> Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>
> ---
>  hw/acpi.c |   28 +++++++++++++++++++---------
>  1 files changed, 19 insertions(+), 9 deletions(-)
> 
> diff --git a/hw/acpi.c b/hw/acpi.c
> index c7044b1..069e05f 100644
> --- a/hw/acpi.c
> +++ b/hw/acpi.c
> @@ -50,6 +50,8 @@ int acpi_table_add(const char *t)
>      char buf[1024], *p, *f;
>      struct acpi_table_header acpi_hdr;
>      unsigned long val;
> +    uint32_t length;
> +    struct acpi_table_header *acpi_hdr_p;
>      size_t off;
>  
>      memset(&acpi_hdr, 0, sizeof(acpi_hdr));
> @@ -108,7 +110,7 @@ int acpi_table_add(const char *t)
>           buf[0] = '\0';
>      }
>  
> -    acpi_hdr.length = sizeof(acpi_hdr);
> +    length = sizeof(acpi_hdr);
>  
>      f = buf;
>      while (buf[0]) {
> @@ -120,7 +122,7 @@ int acpi_table_add(const char *t)
>              fprintf(stderr, "Can't stat file '%s': %s\n", f, strerror(errno));
>              goto out;
>          }
> -        acpi_hdr.length += s.st_size;
> +        length += s.st_size;
>          if (!n)
>              break;
>          *n = ':';
> @@ -131,12 +133,12 @@ int acpi_table_add(const char *t)
>          acpi_tables_len = sizeof(uint16_t);
>          acpi_tables = qemu_mallocz(acpi_tables_len);
>      }
> +    acpi_tables = qemu_realloc(acpi_tables,
> +                               acpi_tables_len + sizeof(uint16_t) + length);
>      p = acpi_tables + acpi_tables_len;
> -    acpi_tables_len += sizeof(uint16_t) + acpi_hdr.length;
> -    acpi_tables = qemu_realloc(acpi_tables, acpi_tables_len);
> +    acpi_tables_len += sizeof(uint16_t) + length;
>  
> -    acpi_hdr.length = cpu_to_le32(acpi_hdr.length);
> -    *(uint16_t*)p = acpi_hdr.length;
> +    *(uint16_t*)p = cpu_to_le32(length);
>      p += sizeof(uint16_t);
>      memcpy(p, &acpi_hdr, sizeof(acpi_hdr));
>      off = sizeof(acpi_hdr);
> @@ -157,7 +159,9 @@ int acpi_table_add(const char *t)
>              goto out;
>          }
>  
> -        do {
> +        /* off < length is necessary because file size can be changed
> +           under our foot */
> +        while(s.st_size && off < length); {
>              int r;
>              r = read(fd, p + off, s.st_size);
>              if (r > 0) {
> @@ -167,15 +171,21 @@ int acpi_table_add(const char *t)
>                  close(fd);
>                  goto out;
>              }
> -        } while(s.st_size);
> +        }
>  
>          close(fd);
>          if (!n)
>              break;
>          f = n + 1;
>      }
> +    if (off < length) {
> +        /* don't pass random value in process to guest */
> +        memset(p + off, 0, length - off);
> +    }
>  
> -    ((struct acpi_table_header*)p)->checksum = acpi_checksum((uint8_t*)p, off);
> +    acpi_hdr_p = (struct acpi_table_header*)p;
> +    acpi_hdr_p->length = cpu_to_le32(length);
> +    acpi_hdr_p->checksum = acpi_checksum((uint8_t*)p, length);
>      /* increase number of tables */
>      (*(uint16_t*)acpi_tables) =
>  	    cpu_to_le32(le32_to_cpu(*(uint16_t*)acpi_tables) + 1);
> -- 
> 1.7.1.1
> 

-- 
yamahata

next prev parent reply	other threads:[~2010-08-24  4:55 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-29  9:08 [Qemu-devel] [PATCH] acpi: fix file size check with -acpitable Isaku Yamahata
2010-08-24  5:06 ` Isaku Yamahata [this message]
2010-08-31 18:27   ` Blue Swirl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100824050606.GJ20428@valinux.co.jp \
    --to=yamahata@valinux.co.jp \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).