* [PATCH 0/2] vfio/pci: Fix buffer overrun when writing the VF token @ 2023-10-25 10:12 Cédric Le Goater 2023-10-25 10:12 ` [PATCH 1/2] util/uuid: Add UUID_STR_LEN definition Cédric Le Goater 2023-10-25 10:12 ` [PATCH 2/2] vfio/pci: Fix buffer overrun when writing the VF token Cédric Le Goater 0 siblings, 2 replies; 7+ messages in thread From: Cédric Le Goater @ 2023-10-25 10:12 UTC (permalink / raw) To: qemu-devel Cc: Stefan Hajnoczi, Denis V . Lunev, Kevin Wolf, Hanna Reitz, Stefan Weil, Paolo Bonzini, Daniel P . Berrangé, Eduardo Habkost, Maciej S . Szmigiero, Fam Zheng, Juan Quintela, Peter Xu, Fabiano Rosas, Leonardo Bras, Cédric Le Goater Hello, This series fixes a buffer overrun in VFIO. The buffer used in vfio_realize() by qemu_uuid_unparse() is too small, UUID_FMT_LEN lacks one byte for the trailing NUL. Instead of adding + 1, as done elsewhere, the changes introduce a UUID_STR_LEN define for the correct size and use it where required. Thanks, C. Cédric Le Goater (2): util/uuid: Add UUID_STR_LEN definition vfio/pci: Fix buffer overrun when writing the VF token include/qemu/uuid.h | 1 + block/parallels-ext.c | 2 +- block/vdi.c | 2 +- hw/core/qdev-properties-system.c | 2 +- hw/hyperv/vmbus.c | 4 ++-- hw/vfio/pci.c | 2 +- migration/savevm.c | 4 ++-- tests/unit/test-uuid.c | 2 +- util/uuid.c | 2 +- 9 files changed, 11 insertions(+), 10 deletions(-) -- 2.41.0 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/2] util/uuid: Add UUID_STR_LEN definition 2023-10-25 10:12 [PATCH 0/2] vfio/pci: Fix buffer overrun when writing the VF token Cédric Le Goater @ 2023-10-25 10:12 ` Cédric Le Goater 2023-10-25 10:27 ` Juan Quintela 2023-10-25 12:13 ` Philippe Mathieu-Daudé 2023-10-25 10:12 ` [PATCH 2/2] vfio/pci: Fix buffer overrun when writing the VF token Cédric Le Goater 1 sibling, 2 replies; 7+ messages in thread From: Cédric Le Goater @ 2023-10-25 10:12 UTC (permalink / raw) To: qemu-devel Cc: Stefan Hajnoczi, Denis V . Lunev, Kevin Wolf, Hanna Reitz, Stefan Weil, Paolo Bonzini, Daniel P . Berrangé, Eduardo Habkost, Maciej S . Szmigiero, Fam Zheng, Juan Quintela, Peter Xu, Fabiano Rosas, Leonardo Bras, Cédric Le Goater qemu_uuid_unparse() includes a trailing NUL when writing the uuid string and the buffer size should be UUID_FMT_LEN + 1 bytes. Add a define for this size and use it where required. Cc: Fam Zheng <fam@euphon.net> Signed-off-by: Cédric Le Goater <clg@redhat.com> --- include/qemu/uuid.h | 1 + block/parallels-ext.c | 2 +- block/vdi.c | 2 +- hw/core/qdev-properties-system.c | 2 +- hw/hyperv/vmbus.c | 4 ++-- migration/savevm.c | 4 ++-- tests/unit/test-uuid.c | 2 +- util/uuid.c | 2 +- 8 files changed, 10 insertions(+), 9 deletions(-) diff --git a/include/qemu/uuid.h b/include/qemu/uuid.h index e24a1099e45f2dfc330a578d3ccbe74f3e52e6c1..4e7afaf1d5bd5d382fefbd6f6275d69cf25e7483 100644 --- a/include/qemu/uuid.h +++ b/include/qemu/uuid.h @@ -79,6 +79,7 @@ typedef struct { "%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx" #define UUID_FMT_LEN 36 +#define UUID_STR_LEN (UUID_FMT_LEN + 1) #define UUID_NONE "00000000-0000-0000-0000-000000000000" diff --git a/block/parallels-ext.c b/block/parallels-ext.c index 8a109f005ae73e848658e3f044968307a0bfd99d..4d8ecf5047abfe4ba0e7273139638649f5d101a0 100644 --- a/block/parallels-ext.c +++ b/block/parallels-ext.c @@ -130,7 +130,7 @@ static BdrvDirtyBitmap *parallels_load_bitmap(BlockDriverState *bs, g_autofree uint64_t *l1_table = NULL; BdrvDirtyBitmap *bitmap; QemuUUID uuid; - char uuidstr[UUID_FMT_LEN + 1]; + char uuidstr[UUID_STR_LEN]; int i; if (data_size < sizeof(bf)) { diff --git a/block/vdi.c b/block/vdi.c index fd7e3653832f890776e03a845a157fede10655b3..fa6e5e198c5d8f4047f0ecddece2493158fe6bc2 100644 --- a/block/vdi.c +++ b/block/vdi.c @@ -239,7 +239,7 @@ static void vdi_header_to_le(VdiHeader *header) static void vdi_header_print(VdiHeader *header) { - char uuidstr[37]; + char uuidstr[UUID_STR_LEN]; QemuUUID uuid; logout("text %s", header->text); logout("signature 0x%08x\n", header->signature); diff --git a/hw/core/qdev-properties-system.c b/hw/core/qdev-properties-system.c index 8e0acf50d6ca045938a44d6d72547607f919ca79..e2130c7d989ebcdb3195cc6040025c732acf4338 100644 --- a/hw/core/qdev-properties-system.c +++ b/hw/core/qdev-properties-system.c @@ -1100,7 +1100,7 @@ static void get_uuid(Object *obj, Visitor *v, const char *name, void *opaque, { Property *prop = opaque; QemuUUID *uuid = object_field_prop_ptr(obj, prop); - char buffer[UUID_FMT_LEN + 1]; + char buffer[UUID_STR_LEN]; char *p = buffer; qemu_uuid_unparse(uuid, buffer); diff --git a/hw/hyperv/vmbus.c b/hw/hyperv/vmbus.c index 271289f902f812ad1aeac3ee426249bba02a9d41..c64eaa5a46a04433dfc33313bbd4fdda8c619868 100644 --- a/hw/hyperv/vmbus.c +++ b/hw/hyperv/vmbus.c @@ -2271,7 +2271,7 @@ static void vmbus_dev_realize(DeviceState *dev, Error **errp) VMBus *vmbus = VMBUS(qdev_get_parent_bus(dev)); BusChild *child; Error *err = NULL; - char idstr[UUID_FMT_LEN + 1]; + char idstr[UUID_STR_LEN]; assert(!qemu_uuid_is_null(&vdev->instanceid)); @@ -2467,7 +2467,7 @@ static char *vmbus_get_dev_path(DeviceState *dev) static char *vmbus_get_fw_dev_path(DeviceState *dev) { VMBusDevice *vdev = VMBUS_DEVICE(dev); - char uuid[UUID_FMT_LEN + 1]; + char uuid[UUID_STR_LEN]; qemu_uuid_unparse(&vdev->instanceid, uuid); return g_strdup_printf("%s@%s", qdev_fw_name(dev), uuid); diff --git a/migration/savevm.c b/migration/savevm.c index 8622f229e517f2ad8af80d3654146c16827be2e1..d5f3eafe3b15e289fd64ef5b6ded8bb3b1670596 100644 --- a/migration/savevm.c +++ b/migration/savevm.c @@ -469,8 +469,8 @@ static bool vmstate_uuid_needed(void *opaque) static int vmstate_uuid_post_load(void *opaque, int version_id) { SaveState *state = opaque; - char uuid_src[UUID_FMT_LEN + 1]; - char uuid_dst[UUID_FMT_LEN + 1]; + char uuid_src[UUID_STR_LEN]; + char uuid_dst[UUID_STR_LEN]; if (!qemu_uuid_set) { /* diff --git a/tests/unit/test-uuid.c b/tests/unit/test-uuid.c index aedc125ae98fb3a0b343603f2f0d022f4b8161c4..739b91583cfd97bb4d18256408338695fe87ef15 100644 --- a/tests/unit/test-uuid.c +++ b/tests/unit/test-uuid.c @@ -145,7 +145,7 @@ static void test_uuid_unparse(void) int i; for (i = 0; i < ARRAY_SIZE(uuid_test_data); i++) { - char out[37]; + char out[UUID_STR_LEN]; if (!uuid_test_data[i].check_unparse) { continue; diff --git a/util/uuid.c b/util/uuid.c index d71aa79e5ea433a9f3216b0b24d6276086607604..234619dd5e69a694d47bb299eb2536e5790b9863 100644 --- a/util/uuid.c +++ b/util/uuid.c @@ -51,7 +51,7 @@ int qemu_uuid_is_equal(const QemuUUID *lhv, const QemuUUID *rhv) void qemu_uuid_unparse(const QemuUUID *uuid, char *out) { const unsigned char *uu = &uuid->data[0]; - snprintf(out, UUID_FMT_LEN + 1, UUID_FMT, + snprintf(out, UUID_STR_LEN, UUID_FMT, uu[0], uu[1], uu[2], uu[3], uu[4], uu[5], uu[6], uu[7], uu[8], uu[9], uu[10], uu[11], uu[12], uu[13], uu[14], uu[15]); } -- 2.41.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] util/uuid: Add UUID_STR_LEN definition 2023-10-25 10:12 ` [PATCH 1/2] util/uuid: Add UUID_STR_LEN definition Cédric Le Goater @ 2023-10-25 10:27 ` Juan Quintela 2023-10-25 12:13 ` Philippe Mathieu-Daudé 1 sibling, 0 replies; 7+ messages in thread From: Juan Quintela @ 2023-10-25 10:27 UTC (permalink / raw) To: Cédric Le Goater Cc: qemu-devel, Stefan Hajnoczi, Denis V . Lunev, Kevin Wolf, Hanna Reitz, Stefan Weil, Paolo Bonzini, Daniel P . Berrangé, Eduardo Habkost, Maciej S . Szmigiero, Fam Zheng, Peter Xu, Fabiano Rosas, Leonardo Bras Cédric Le Goater <clg@redhat.com> wrote: > qemu_uuid_unparse() includes a trailing NUL when writing the uuid > string and the buffer size should be UUID_FMT_LEN + 1 bytes. Add a > define for this size and use it where required. > > Cc: Fam Zheng <fam@euphon.net> > Signed-off-by: Cédric Le Goater <clg@redhat.com> > --- > include/qemu/uuid.h | 1 + > block/parallels-ext.c | 2 +- > block/vdi.c | 2 +- > hw/core/qdev-properties-system.c | 2 +- > hw/hyperv/vmbus.c | 4 ++-- > migration/savevm.c | 4 ++-- > tests/unit/test-uuid.c | 2 +- > util/uuid.c | 2 +- > 8 files changed, 10 insertions(+), 9 deletions(-) > > diff --git a/include/qemu/uuid.h b/include/qemu/uuid.h Reviewed-by: Juan Quintela <quintela@redhat.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] util/uuid: Add UUID_STR_LEN definition 2023-10-25 10:12 ` [PATCH 1/2] util/uuid: Add UUID_STR_LEN definition Cédric Le Goater 2023-10-25 10:27 ` Juan Quintela @ 2023-10-25 12:13 ` Philippe Mathieu-Daudé 1 sibling, 0 replies; 7+ messages in thread From: Philippe Mathieu-Daudé @ 2023-10-25 12:13 UTC (permalink / raw) To: Cédric Le Goater, qemu-devel Cc: Stefan Hajnoczi, Denis V . Lunev, Kevin Wolf, Hanna Reitz, Stefan Weil, Paolo Bonzini, Daniel P . Berrangé, Eduardo Habkost, Maciej S . Szmigiero, Fam Zheng, Juan Quintela, Peter Xu, Fabiano Rosas, Leonardo Bras On 25/10/23 12:12, Cédric Le Goater wrote: > qemu_uuid_unparse() includes a trailing NUL when writing the uuid > string and the buffer size should be UUID_FMT_LEN + 1 bytes. Add a > define for this size and use it where required. > > Cc: Fam Zheng <fam@euphon.net> > Signed-off-by: Cédric Le Goater <clg@redhat.com> > --- > include/qemu/uuid.h | 1 + > block/parallels-ext.c | 2 +- > block/vdi.c | 2 +- > hw/core/qdev-properties-system.c | 2 +- > hw/hyperv/vmbus.c | 4 ++-- > migration/savevm.c | 4 ++-- > tests/unit/test-uuid.c | 2 +- > util/uuid.c | 2 +- > 8 files changed, 10 insertions(+), 9 deletions(-) Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> > diff --git a/include/qemu/uuid.h b/include/qemu/uuid.h > index e24a1099e45f2dfc330a578d3ccbe74f3e52e6c1..4e7afaf1d5bd5d382fefbd6f6275d69cf25e7483 100644 > --- a/include/qemu/uuid.h > +++ b/include/qemu/uuid.h > @@ -79,6 +79,7 @@ typedef struct { > "%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx" > > #define UUID_FMT_LEN 36 > +#define UUID_STR_LEN (UUID_FMT_LEN + 1) > > #define UUID_NONE "00000000-0000-0000-0000-000000000000" After this patch, when do we need UUID_FMT_LEN? If it is dangerous, better drop it and keep: #define UUID_STR_LEN (36 + 1) or #define UUID_STR_LEN (36 + sizeof('\0')) ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/2] vfio/pci: Fix buffer overrun when writing the VF token 2023-10-25 10:12 [PATCH 0/2] vfio/pci: Fix buffer overrun when writing the VF token Cédric Le Goater 2023-10-25 10:12 ` [PATCH 1/2] util/uuid: Add UUID_STR_LEN definition Cédric Le Goater @ 2023-10-25 10:12 ` Cédric Le Goater 2023-10-25 10:28 ` Juan Quintela 2023-10-25 19:55 ` Alex Williamson 1 sibling, 2 replies; 7+ messages in thread From: Cédric Le Goater @ 2023-10-25 10:12 UTC (permalink / raw) To: qemu-devel Cc: Stefan Hajnoczi, Denis V . Lunev, Kevin Wolf, Hanna Reitz, Stefan Weil, Paolo Bonzini, Daniel P . Berrangé, Eduardo Habkost, Maciej S . Szmigiero, Fam Zheng, Juan Quintela, Peter Xu, Fabiano Rosas, Leonardo Bras, Cédric Le Goater, Alex Williamson qemu_uuid_unparse() includes a trailing NUL when writing the uuid string and the buffer size should be UUID_FMT_LEN + 1 bytes. Use the recently added UUID_STR_LEN which defines the correct size. Fixes: CID 1522913 Fixes: 2dca1b37a760 ("vfio/pci: add support for VF token") Cc: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com> --- hw/vfio/pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index 9bfa83aca1a87952e18743c9ca951b1bfc873507..c02a5d70f5e1b8e4d22051285748f514f1b9f008 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -3274,7 +3274,7 @@ static void vfio_realize(PCIDevice *pdev, Error **errp) Error *err = NULL; int i, ret; bool is_mdev; - char uuid[UUID_FMT_LEN]; + char uuid[UUID_STR_LEN]; char *name; if (vbasedev->fd < 0 && !vbasedev->sysfsdev) { -- 2.41.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] vfio/pci: Fix buffer overrun when writing the VF token 2023-10-25 10:12 ` [PATCH 2/2] vfio/pci: Fix buffer overrun when writing the VF token Cédric Le Goater @ 2023-10-25 10:28 ` Juan Quintela 2023-10-25 19:55 ` Alex Williamson 1 sibling, 0 replies; 7+ messages in thread From: Juan Quintela @ 2023-10-25 10:28 UTC (permalink / raw) To: Cédric Le Goater Cc: qemu-devel, Stefan Hajnoczi, Denis V . Lunev, Kevin Wolf, Hanna Reitz, Stefan Weil, Paolo Bonzini, Daniel P . Berrangé, Eduardo Habkost, Maciej S . Szmigiero, Fam Zheng, Peter Xu, Fabiano Rosas, Leonardo Bras, Alex Williamson Cédric Le Goater <clg@redhat.com> wrote: > qemu_uuid_unparse() includes a trailing NUL when writing the uuid > string and the buffer size should be UUID_FMT_LEN + 1 bytes. Use the > recently added UUID_STR_LEN which defines the correct size. > > Fixes: CID 1522913 > Fixes: 2dca1b37a760 ("vfio/pci: add support for VF token") > Cc: Alex Williamson <alex.williamson@redhat.com> > Signed-off-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> For what is worth O:-) ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] vfio/pci: Fix buffer overrun when writing the VF token 2023-10-25 10:12 ` [PATCH 2/2] vfio/pci: Fix buffer overrun when writing the VF token Cédric Le Goater 2023-10-25 10:28 ` Juan Quintela @ 2023-10-25 19:55 ` Alex Williamson 1 sibling, 0 replies; 7+ messages in thread From: Alex Williamson @ 2023-10-25 19:55 UTC (permalink / raw) To: Cédric Le Goater Cc: qemu-devel, Stefan Hajnoczi, Denis V . Lunev, Kevin Wolf, Hanna Reitz, Stefan Weil, Paolo Bonzini, Daniel P . Berrangé, Eduardo Habkost, Maciej S . Szmigiero, Fam Zheng, Juan Quintela, Peter Xu, Fabiano Rosas, Leonardo Bras On Wed, 25 Oct 2023 12:12:45 +0200 Cédric Le Goater <clg@redhat.com> wrote: > qemu_uuid_unparse() includes a trailing NUL when writing the uuid > string and the buffer size should be UUID_FMT_LEN + 1 bytes. Use the > recently added UUID_STR_LEN which defines the correct size. > > Fixes: CID 1522913 > Fixes: 2dca1b37a760 ("vfio/pci: add support for VF token") > Cc: Alex Williamson <alex.williamson@redhat.com> > Signed-off-by: Cédric Le Goater <clg@redhat.com> > --- > hw/vfio/pci.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c > index 9bfa83aca1a87952e18743c9ca951b1bfc873507..c02a5d70f5e1b8e4d22051285748f514f1b9f008 100644 > --- a/hw/vfio/pci.c > +++ b/hw/vfio/pci.c > @@ -3274,7 +3274,7 @@ static void vfio_realize(PCIDevice *pdev, Error **errp) > Error *err = NULL; > int i, ret; > bool is_mdev; > - char uuid[UUID_FMT_LEN]; > + char uuid[UUID_STR_LEN]; > char *name; > > if (vbasedev->fd < 0 && !vbasedev->sysfsdev) { Reviewed-by: Alex Williamson <alex.williamson@redhat.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-10-25 19:56 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-10-25 10:12 [PATCH 0/2] vfio/pci: Fix buffer overrun when writing the VF token Cédric Le Goater 2023-10-25 10:12 ` [PATCH 1/2] util/uuid: Add UUID_STR_LEN definition Cédric Le Goater 2023-10-25 10:27 ` Juan Quintela 2023-10-25 12:13 ` Philippe Mathieu-Daudé 2023-10-25 10:12 ` [PATCH 2/2] vfio/pci: Fix buffer overrun when writing the VF token Cédric Le Goater 2023-10-25 10:28 ` Juan Quintela 2023-10-25 19:55 ` Alex Williamson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).