From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Gerd Hoffmann" <kraxel@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Alex Williamson" <alex.williamson@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Subject: [Qemu-devel] [PATCH v3 1/4] display: ensure qxl log_buf is a nul terminated string
Date: Tue, 22 Jan 2019 16:49:37 +0000 [thread overview]
Message-ID: <20190122164940.29244-2-berrange@redhat.com> (raw)
In-Reply-To: <20190122164940.29244-1-berrange@redhat.com>
The QXL_IO_LOG command allows the guest to send log messages to the host
via a buffer in the QXLRam struct. QEMU prints these to the console if
the qxl 'guestdebug' option is set to non-zero. It will also feed them
to the trace subsystem if any backends are built-in.
In both cases the log_buf data will get treated as being as a nul
terminated string, by the printf '%s' format specifier and / or other
code reading the buffer.
QEMU does nothing to guarantee that the log_buf really is nul terminated,
so there is potential for out of bounds array access.
This would affect any QEMU which has the log, syslog or ftrace trace
backends built into QEMU. It can only be triggered if the 'qxl_io_log'
trace event is enabled, however, so they are not vulnerable without
specific administrative action to enable this.
It would also affect QEMU if the 'guestdebug' parameter is set to a
non-zero value, which again is not the default and requires explicit
admin opt-in.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
hw/display/qxl.c | 14 ++++++++++----
hw/display/trace-events | 2 +-
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 8e9a65e75b..da8fd5a40a 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -1763,10 +1763,16 @@ async_common:
qxl_set_mode(d, val, 0);
break;
case QXL_IO_LOG:
- trace_qxl_io_log(d->id, d->ram->log_buf);
- if (d->guestdebug) {
- fprintf(stderr, "qxl/guest-%d: %" PRId64 ": %s", d->id,
- qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), d->ram->log_buf);
+ if (TRACE_QXL_IO_LOG_ENABLED || d->guestdebug) {
+ /* We cannot trust the guest to NUL terminate d->ram->log_buf */
+ char *log_buf = g_strndup((const char *)d->ram->log_buf,
+ sizeof(d->ram->log_buf));
+ trace_qxl_io_log(d->id, log_buf);
+ if (d->guestdebug) {
+ fprintf(stderr, "qxl/guest-%d: %" PRId64 ": %s", d->id,
+ qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), log_buf);
+ }
+ g_free(log_buf);
}
break;
case QXL_IO_RESET:
diff --git a/hw/display/trace-events b/hw/display/trace-events
index 5a48c6cb6a..387c6b8931 100644
--- a/hw/display/trace-events
+++ b/hw/display/trace-events
@@ -72,7 +72,7 @@ qxl_interface_update_area_complete_rest(int qid, uint32_t num_updated_rects) "%d
qxl_interface_update_area_complete_overflow(int qid, int max) "%d max=%d"
qxl_interface_update_area_complete_schedule_bh(int qid, uint32_t num_dirty) "%d #dirty=%d"
qxl_io_destroy_primary_ignored(int qid, const char *mode) "%d %s"
-qxl_io_log(int qid, const uint8_t *log_buf) "%d %s"
+qxl_io_log(int qid, const char *log_buf) "%d %s"
qxl_io_read_unexpected(int qid) "%d"
qxl_io_unexpected_vga_mode(int qid, uint64_t addr, uint64_t val, const char *desc) "%d 0x%"PRIx64"=%"PRIu64" (%s)"
qxl_io_write(int qid, const char *mode, uint64_t addr, const char *aname, uint64_t val, unsigned size, int async) "%d %s addr=%"PRIu64 " (%s) val=%"PRIu64" size=%u async=%d"
--
2.20.1
next prev parent reply other threads:[~2019-01-22 19:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-22 16:49 [Qemu-devel] [PATCH v3 0/4] trace: make systemtap easier to use for simple logging Daniel P. Berrangé
2019-01-22 16:49 ` Daniel P. Berrangé [this message]
2019-01-22 17:23 ` [Qemu-devel] [PATCH v3 1/4] display: ensure qxl log_buf is a nul terminated string Eric Blake
2019-01-22 16:49 ` [Qemu-devel] [PATCH v3 2/4] trace: enforce that every trace-events file has a final newline Daniel P. Berrangé
2019-01-22 16:49 ` [Qemu-devel] [PATCH v3 3/4] trace: forbid use of %m in trace event format strings Daniel P. Berrangé
2019-01-22 17:25 ` Eric Blake
2019-01-22 16:49 ` [Qemu-devel] [PATCH v3 4/4] trace: add ability to do simple printf logging via systemtap Daniel P. Berrangé
2019-01-22 17:42 ` Eric Blake
2019-01-23 11:59 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190122164940.29244-2-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=eblake@redhat.com \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).