From: Eduardo Habkost <ehabkost@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>, qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 12/24] hostmem: Validate host-nodes before setting bitmap
Date: Tue, 11 Dec 2018 16:01:17 -0200 [thread overview]
Message-ID: <20181211180129.7661-13-ehabkost@redhat.com> (raw)
In-Reply-To: <20181211180129.7661-1-ehabkost@redhat.com>
host_memory_backend_set_host_nodes() was not validating
host-nodes before writing to backend->host_nodes, making QEMU
write beyond the end of the bitmap.
Fix the crash and add a simple regression test for the fix.
While at it, fix memory leak of the list returned by
visit_type_uint16List().
Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <20181130122844.29103-1-ehabkost@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
[ehabkost: removed test case code]
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
---
backends/hostmem.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/backends/hostmem.c b/backends/hostmem.c
index 1a89342039..af800284e0 100644
--- a/backends/hostmem.c
+++ b/backends/hostmem.c
@@ -103,14 +103,23 @@ host_memory_backend_set_host_nodes(Object *obj, Visitor *v, const char *name,
{
#ifdef CONFIG_NUMA
HostMemoryBackend *backend = MEMORY_BACKEND(obj);
- uint16List *l = NULL;
+ uint16List *l, *host_nodes = NULL;
- visit_type_uint16List(v, name, &l, errp);
+ visit_type_uint16List(v, name, &host_nodes, errp);
- while (l) {
+ for (l = host_nodes; l; l = l->next) {
+ if (l->value >= MAX_NODES) {
+ error_setg(errp, "Invalid host-nodes value: %d", l->value);
+ goto out;
+ }
+ }
+
+ for (l = host_nodes; l; l = l->next) {
bitmap_set(backend->host_nodes, l->value, 1);
- l = l->next;
}
+
+out:
+ qapi_free_uint16List(host_nodes);
#else
error_setg(errp, "NUMA node binding are not supported by this QEMU");
#endif
--
2.18.0.rc1.1.g3f1ff2140
next prev parent reply other threads:[~2018-12-11 18:02 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-11 18:01 [Qemu-devel] [PULL 00/24] Machine queue post-3.1.0 (including 4.0 machine-types) Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 01/24] hostmem-file: remove object id from pmem error message Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 02/24] hw/timer/sun4v-rtc: Fix tracing at sun4v_rtc_write() Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 03/24] docs: Document vCPU hotplug procedure Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 04/24] Deprecate QMP `cpu-add` Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 05/24] Deprecate HMP `cpu-add` Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 06/24] range: pass const pointer where possible Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 07/24] memory-device: use QEMU_IS_ALIGNED Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 08/24] memory-device: avoid overflows on very huge devices Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 09/24] move ObjectClass to typedefs.h Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 10/24] i386: Rename bools in PCMachineState to end in _enabled Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 11/24] numa: Match struct to typedef name Eduardo Habkost
2018-12-11 18:01 ` Eduardo Habkost [this message]
2018-12-11 18:01 ` [Qemu-devel] [PULL 13/24] q35/440fx/arm/spapr: Add QEMU 4.0 machine type Eduardo Habkost
2018-12-12 12:51 ` Marc-André Lureau
2018-12-12 12:52 ` Marc-André Lureau
2018-12-11 18:01 ` [Qemu-devel] [PULL 14/24] virt: Eliminate separate instance_init functions Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 15/24] spapr: Use default_machine_opts to set use_hotplug_event_source Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 16/24] spapr: Use default_machine_opts to set suppress_vmdesc Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 17/24] spapr: Delete instance_options functions Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 18/24] pc: Use default_machine_opts to set suppress_vmdesc Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 19/24] tests: qdev_prop_check_globals() doesn't return "all_used" Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 20/24] qom: make interface types abstract Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 21/24] qom: make user_creatable_complete() specific to UserCreatable Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 22/24] accel: register global_props like machine globals Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 23/24] qdev: move qdev_prop_register_global_list() to tests Eduardo Habkost
2018-12-11 18:01 ` [Qemu-devel] [PULL 24/24] qom: remove unimplemented class_finalize Eduardo Habkost
2018-12-11 22:26 ` [Qemu-devel] [PULL 00/24] Machine queue post-3.1.0 (including 4.0 machine-types) Peter Maydell
2018-12-12 0:20 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181211180129.7661-13-ehabkost@redhat.com \
--to=ehabkost@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).