Re: [Qemu-devel] should we try to stop using variable length arrays?

["Daniel P. Berrangé" <berrange@redhat.com>]

On Thu, Feb 07, 2019 at 07:30:59PM +0000, Peter Maydell wrote:
> Currently QEMU has 9 uses of variable length arrays
> (found using -Wvla):
> 
> hw/block/dataplane/virtio-blk.c:62:25: warning: variable length array
> used [-Wvla]
>     unsigned long bitmap[BITS_TO_LONGS(nvqs)];
>                         ^
> hw/i386/multiboot.c:364:18: warning: variable length array used [-Wvla]
>     char kcmdline[strlen(kernel_filename) + strlen(kernel_cmdline) + 2];
>                  ^
> hw/i386/xen/xen-hvm.c:618:25: warning: variable length array used [-Wvla]
>     unsigned long bitmap[DIV_ROUND_UP(npages, width)];
>                         ^
> hw/intc/xics.c:604:18: warning: variable length array used [-Wvla]
>     uint8_t flags[ics->nr_irqs];
>                  ^
> hw/net/fsl_etsec/rings.c:383:18: warning: variable length array used [-Wvla]
>     uint8_t  padd[etsec->rx_padding];
>                  ^
> hw/ppc/pnv.c:130:26: warning: variable length array used [-Wvla]
>     uint32_t servers_prop[smt_threads];
>                          ^
> hw/ppc/spapr.c:162:26: warning: variable length array used [-Wvla]
>     uint32_t servers_prop[smt_threads];
>                          ^
> hw/ppc/spapr.c:163:27: warning: variable length array used [-Wvla]
>     uint32_t gservers_prop[smt_threads * 2];
>                           ^
> linux-user/syscall.c:3478:23: warning: variable length array used [-Wvla]
>     struct sembuf sops[nsops];
>                       ^
> 
> Should we be looking to get rid of these and turn on the -Wvla
> warning? I know the Linux kernel has recently decided to do this
> (some rationale at the start of https://lwn.net/Articles/749064/).
> Now that doesn't necessarily apply to us as a userspace program,
> but on the other hand if any of these were allowing the guest to
> determine the size of an on-stack array that would not be great.
> (The linux-user one is bogus in that way, though not a security issue
> as the guest code there has full control anyway.)
> 
> Opinions? I admit that to some extent this is just my sense of
> tidiness thinking that if we only have a handful of uses of
> something we should squash that down to zero :-)

I think we've got few enough uses of VLA that we would be justified in
removing them so that we can compile time prevent use of the potentially
dangerous feature, even if the current uses are safe.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|