Re: [PATCH v16 08/20] io: add qio_channel_readv_full_all_eof & qio_channel_readv_full_all helpers

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Stefan Hajnoczi <stefanha@redhat.com>
To: Jagannathan Raman <jag.raman@oracle.com>
Cc: elena.ufimtseva@oracle.com, fam@euphon.net,
	swapnil.ingle@nutanix.com, john.g.johnson@oracle.com,
	qemu-devel@nongnu.org, kraxel@redhat.com, quintela@redhat.com,
	mst@redhat.com, armbru@redhat.com, kanth.ghatraju@oracle.com,
	felipe@nutanix.com, thuth@redhat.com, ehabkost@redhat.com,
	konrad.wilk@oracle.com, dgilbert@redhat.com,
	alex.williamson@redhat.com, thanos.makatos@nutanix.com,
	kwolf@redhat.com, berrange@redhat.com, mreitz@redhat.com,
	ross.lagerwall@citrix.com, marcandre.lureau@gmail.com,
	pbonzini@redhat.com
Subject: Re: [PATCH v16 08/20] io: add qio_channel_readv_full_all_eof & qio_channel_readv_full_all helpers
Date: Tue, 12 Jan 2021 11:15:37 +0000	[thread overview]
Message-ID: <20210112111537.GD194658@stefanha-x1.localdomain> (raw)
In-Reply-To: <f55038eb623c809e474181a090ede9d11567ed63.1610339529.git.jag.raman@oracle.com>

[-- Attachment #1: Type: text/plain, Size: 1783 bytes --]

On Mon, Jan 11, 2021 at 12:05:53AM -0500, Jagannathan Raman wrote:
> @@ -112,20 +132,36 @@ int qio_channel_readv_all_eof(QIOChannel *ioc,
>                  qio_channel_wait(ioc, G_IO_IN);
>              }
>              continue;
> -        } else if (len < 0) {
> -            goto cleanup;
> -        } else if (len == 0) {
> -            if (partial) {
> -                error_setg(errp,
> -                           "Unexpected end-of-file before all bytes were read");
> -            } else {
> -                ret = 0;
> +        }
> +
> +        if (len <= 0) {
> +            size_t fd_idx = nfds ? *nfds : 0;

This loads uninitialized memory when len < 0 and the caller has not
initialized *nfds because qio_channel_readv_full() does not set *nfds =
0 in the failure case.

qio_channel_readv_full() should clear nfds at the start of the function:

  if (nfds) {
      *nfds = 0;
  }

> +            if (len == 0) {
> +                if (partial) {
> +                    error_setg(errp,
> +                               "Unexpected end-of-file before all bytes were read");
> +                } else {
> +                    ret = 0;
> +                }
> +            }
> +
> +            while (fds && fd_idx) {
> +                close(*fds[fd_idx - 1]);

The type of fds is int **. Taking operator precedence into account, we
get:

  int *ptr = fds[fd_idx - 1]; /* fds = {&int1, &int2, &int3, ...} */
  close(*ptr);

That is not the intended behavior. I think this should be:

  close((*fds)[fd_idx - 1]);

> +                fd_idx--;
> +            }
> +
> +            if (fds) {
> +                g_free(*fds);
>              }
> +
>              goto cleanup;

Please clear fds and nfds so there is no way the caller can accidentally
use the freed values.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

next prev parent reply	other threads:[~2021-01-12 11:41 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-11  5:05 [PATCH v16 00/20] Initial support for multi-process Qemu Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 01/20] multi-process: add the concept description to docs/devel/qemu-multiprocess Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 02/20] multi-process: add configure and usage information Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 03/20] memory: alloc RAM from file at offset Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 04/20] multi-process: Add config option for multi-process QEMU Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 05/20] multi-process: setup PCI host bridge for remote device Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 06/20] multi-process: setup a machine object for remote device process Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 07/20] io: add qio_channel_writev_full_all helper Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 08/20] io: add qio_channel_readv_full_all_eof & qio_channel_readv_full_all helpers Jagannathan Raman
2021-01-12 11:15   ` Stefan Hajnoczi [this message]
2021-01-11  5:05 ` [PATCH v16 09/20] multi-process: define MPQemuMsg format and transmission functions Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 10/20] multi-process: Initialize message handler in remote device Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 11/20] multi-process: Associate fd of a PCIDevice with its object Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 12/20] multi-process: setup memory manager for remote device Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 13/20] multi-process: introduce proxy object Jagannathan Raman
2021-01-11  5:05 ` [PATCH v16 14/20] multi-process: add proxy communication functions Jagannathan Raman
2021-01-11  5:06 ` [PATCH v16 15/20] multi-process: Forward PCI config space acceses to the remote process Jagannathan Raman
2021-01-11  5:06 ` [PATCH v16 16/20] multi-process: PCI BAR read/write handling for proxy & remote endpoints Jagannathan Raman
2021-01-11  5:06 ` [PATCH v16 17/20] multi-process: Synchronize remote memory Jagannathan Raman
2021-01-11  5:06 ` [PATCH v16 18/20] multi-process: create IOHUB object to handle irq Jagannathan Raman
2021-01-11  5:06 ` [PATCH v16 19/20] multi-process: Retrieve PCI info from remote process Jagannathan Raman
2021-01-11  5:06 ` [PATCH v16 20/20] multi-process: perform device reset in the " Jagannathan Raman
2021-01-11  5:20 ` [PATCH v16 00/20] Initial support for multi-process Qemu 罗勇刚(Yonggang Luo)
2021-01-11 18:02   ` Jag Raman
2021-01-11 20:13     ` 罗勇刚(Yonggang Luo)
2021-01-13 16:45       ` Jag Raman
2021-01-12 11:17 ` Stefan Hajnoczi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210112111537.GD194658@stefanha-x1.localdomain \
    --to=stefanha@redhat.com \
    --cc=alex.williamson@redhat.com \
    --cc=armbru@redhat.com \
    --cc=berrange@redhat.com \
    --cc=dgilbert@redhat.com \
    --cc=ehabkost@redhat.com \
    --cc=elena.ufimtseva@oracle.com \
    --cc=fam@euphon.net \
    --cc=felipe@nutanix.com \
    --cc=jag.raman@oracle.com \
    --cc=john.g.johnson@oracle.com \
    --cc=kanth.ghatraju@oracle.com \
    --cc=konrad.wilk@oracle.com \
    --cc=kraxel@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=marcandre.lureau@gmail.com \
    --cc=mreitz@redhat.com \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=quintela@redhat.com \
    --cc=ross.lagerwall@citrix.com \
    --cc=swapnil.ingle@nutanix.com \
    --cc=thanos.makatos@nutanix.com \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).