From: "Daniel P. Berrange" <berrange@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 2/2] io: fix stack allocation when sending of file descriptors
Date: Wed, 23 Dec 2015 10:50:59 +0000 [thread overview]
Message-ID: <20151223105059.GD20028@redhat.com> (raw)
In-Reply-To: <5679946E.2060700@redhat.com>
On Tue, Dec 22, 2015 at 11:20:30AM -0700, Eric Blake wrote:
> On 12/21/2015 09:23 AM, Daniel P. Berrange wrote:
> > When sending file descriptors over a socket, we have to
> > allocate a data buffer to hold the FDs in the scmsghdr.
> > Unfortunately we allocated the buffer on the stack inside
> > an if () {} block, but called sendmsg() outside the block.
> > So the stack bytes holding the FDs were liable to be
> > overwritten with other data. By luck this was not a problem
> > when sending 1 FD, but if sending 2 or more then it would
> > fail.
> >
> > The fix is to simply move the variables outside the nested
> > 'if' block. To keep valgrind quiet we also zero-initialize
> > the 'control' buffer.
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
> > io/channel-socket.c | 7 ++-
> > tests/test-io-channel-socket.c | 98 ++++++++++++++++++++++++++++++++++++++++++
> > 2 files changed, 101 insertions(+), 4 deletions(-)
> >
>
> The fix itself is obvious from the commit message; the bulk of this
> patch is the testsuite addition (which is a GOOD thing - thanks!).
Yes, I wasted lots of time trying to find the flaw before
I wrote the test case at which point it was trivial to
find with valgrind :-)
>
> > + qio_channel_readv_full(dst,
> > + iorecv,
> > + G_N_ELEMENTS(iorecv),
> > + &fdrecv,
> > + &nfdrecv,
> > + &error_abort);
> > +
> > + g_assert(nfdrecv == G_N_ELEMENTS(fdsend));
> > + /* Each recvd FD should be different from sent FD */
> > + for (i = 0; i < nfdrecv; i++) {
> > + g_assert_cmpint(fdrecv[i], !=, testfd);
> > + }
>
> Here, you blindly dereference fdrecv[]...
>
> > + unlink(TEST_FILE);
> > + close(testfd);
> > + if (fdrecv != NULL) {
>
> ...so this if() is dead, and you can just always do the cleanup.
Yep, will fix
> That's minor, so:
> Reviewed-by: Eric Blake <eblake@redhat.com>
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
prev parent reply other threads:[~2015-12-23 10:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-21 16:23 [Qemu-devel] [PATCH 0/2] Fixes to FD passing with QIOChannel Daniel P. Berrange
2015-12-21 16:23 ` [Qemu-devel] [PATCH 1/2] io: fix setting of QIO_CHANNEL_FEATURE_FD_PASS on server connections Daniel P. Berrange
2015-12-22 18:14 ` Eric Blake
2015-12-23 10:49 ` Daniel P. Berrange
2015-12-21 16:23 ` [Qemu-devel] [PATCH 2/2] io: fix stack allocation when sending of file descriptors Daniel P. Berrange
2015-12-22 18:20 ` Eric Blake
2015-12-23 10:50 ` Daniel P. Berrange [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151223105059.GD20028@redhat.com \
--to=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).