[PULL 02/12] migration/multifd: Ensure packet->ramblock is null-terminated

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Peter Xu <peterx@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Fabiano Rosas <farosas@suse.de>,
	peterx@redhat.com
Subject: [PULL 02/12] migration/multifd: Ensure packet->ramblock is null-terminated
Date: Wed,  9 Oct 2024 08:42:28 -0400	[thread overview]
Message-ID: <20241009124238.371084-3-peterx@redhat.com> (raw)
In-Reply-To: <20241009124238.371084-1-peterx@redhat.com>

From: Fabiano Rosas <farosas@suse.de>

Coverity points out that the current usage of strncpy to write the
ramblock name allows the field to not have an ending '\0' in case
idstr is already not null-terminated (e.g. if it's larger than 256
bytes).

This is currently harmless because the packet->ramblock field is never
touched again on the source side. The destination side reads only up
to the field's size from the stream and forces the last byte to be 0.

We're still open to a programming error in the future in case this
field is ever passed into a function that expects a null-terminated
string.

Change from strncpy to QEMU's pstrcpy, which puts a '\0' at the end of
the string and doesn't fill the extra space with zeros.

(there's no spillage between iterations of fill_packet because after
commit 87bb9e953e ("migration/multifd: Isolate ram pages packet data")
the packet is always zeroed before filling)

Resolves: Coverity CID 1560071
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/20240919150611.17074-1-farosas@suse.de
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/multifd-nocomp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/migration/multifd-nocomp.c b/migration/multifd-nocomp.c
index 07c63f4a72..55191152f9 100644
--- a/migration/multifd-nocomp.c
+++ b/migration/multifd-nocomp.c
@@ -17,6 +17,7 @@
 #include "multifd.h"
 #include "options.h"
 #include "qapi/error.h"
+#include "qemu/cutils.h"
 #include "qemu/error-report.h"
 #include "trace.h"
 
@@ -201,7 +202,8 @@ void multifd_ram_fill_packet(MultiFDSendParams *p)
     packet->zero_pages = cpu_to_be32(zero_num);
 
     if (pages->block) {
-        strncpy(packet->ramblock, pages->block->idstr, 256);
+        pstrcpy(packet->ramblock, sizeof(packet->ramblock),
+                pages->block->idstr);
     }
 
     for (int i = 0; i < pages->num; i++) {
-- 
2.45.0

next prev parent reply	other threads:[~2024-10-09 12:43 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-09 12:42 [PULL 00/12] Migration 20241009 patches Peter Xu
2024-10-09 12:42 ` [PULL 01/12] memory: notify hypervisor of all eventfds during listener (de)registration Peter Xu
2024-10-09 12:42 ` Peter Xu [this message]
2024-10-09 12:42 ` [PULL 03/12] migration: Remove migrate_cap_set Peter Xu
2024-10-09 12:42 ` [PULL 04/12] migration: Remove unused migrate_zero_blocks Peter Xu
2024-10-09 12:42 ` [PULL 05/12] migration: Deprecate zero-blocks capability Peter Xu
2024-10-09 12:42 ` [PULL 06/12] migration: Remove unused socket_send_channel_create_sync Peter Xu
2024-10-09 12:42 ` [PULL 07/12] util/userfaultfd: Return -errno on error Peter Xu
2024-10-09 12:42 ` [PULL 08/12] migration/postcopy: Use uffd helpers Peter Xu
2024-10-09 12:42 ` [PULL 09/12] util/userfaultfd: Remove unused uffd_poll_events Peter Xu
2024-10-09 12:42 ` [PULL 10/12] tests/migration-test: Wait for cancellation sooner in multifd cancel Peter Xu
2024-10-09 12:42 ` [PULL 11/12] util/iova-tree: Remove deadcode Peter Xu
2024-10-09 12:42 ` [PULL 12/12] migration/multifd: fix build error when qpl compression is enabled Peter Xu
2024-10-10 12:23 ` [PULL 00/12] Migration 20241009 patches Peter Maydell

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:07c63f4a7 dfblob:55191152f )
 OR (
bs:"[PULL 02/12] migration/multifd: Ensure packet->ramblock is null-terminated" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241009124238.371084-3-peterx@redhat.com \
    --to=peterx@redhat.com \
    --cc=farosas@suse.de \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).