From: Stefan Hajnoczi <stefanha@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
qemu-block@nongnu.org,
"Richard Henderson" <richard.henderson@linaro.org>,
qemu-devel@nongnu.org, "Max Reitz" <mreitz@redhat.com>,
qemu-ppc@nongnu.org, "Gerd Hoffmann" <kraxel@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>
Subject: Re: [PATCH 06/23] hw/block/dataplane/virtio-blk: Avoid dynamic stack allocation
Date: Thu, 6 May 2021 15:47:19 +0100 [thread overview]
Message-ID: <YJQBd+lnvQnbK0XH@stefanha-x1.localdomain> (raw)
In-Reply-To: <124ddeb2-ca4a-c551-19ad-d1125451226f@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1819 bytes --]
On Thu, May 06, 2021 at 11:01:47AM +0200, Philippe Mathieu-Daudé wrote:
> On 5/6/21 10:53 AM, Stefan Hajnoczi wrote:
> > On Wed, May 05, 2021 at 11:10:30PM +0200, Philippe Mathieu-Daudé wrote:
> >> Use autofree heap allocation instead of variable-length
> >> array on the stack.
> >>
> >> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> >> ---
> >> hw/block/dataplane/virtio-blk.c | 7 ++++---
> >> 1 file changed, 4 insertions(+), 3 deletions(-)
> >
> > Why?
>
> The motivation behind removing all variable-length allocations
> (and adding CPPFLAG+=-Wvla at the end) is to avoid security
> vulnerabilities such CVE-2021-3527.
I see. Please mention it in the commit description. There could be other
reasons for this change, like minimizing stack usage, so I wasn't sure
why.
> > This is a performance-critical code path and BITS_TO_LONGS(nvqs) is
> > small.
>
> OK, having looked better at nvqs, I suppose this is preferred:
>
> -- >8 --
> @@ -60,7 +60,7 @@ static void notify_guest_bh(void *opaque)
> {
> VirtIOBlockDataPlane *s = opaque;
> unsigned nvqs = s->conf->num_queues;
> - unsigned long bitmap[BITS_TO_LONGS(nvqs)];
> + unsigned long bitmap[BITS_TO_LONGS(VIRTIO_QUEUE_MAX)];
> unsigned j;
>
> memcpy(bitmap, s->batch_notify_vqs, sizeof(bitmap));
> ---
>
> Would that work for you?
It's a little risky since s->batch_notify_vqs does not have
sizeof(bitmap). That makes uninitialized data and buffer overflows more
likely. Your example has the bug:
memcpy(bitmap, s->batch_notify_vqs, sizeof(bitmap));
^^^^^^^^^^^^^^
Accesses beyond the end of s->batch_notify_vqs[].
Can we eliminate bitmap[] entirely by using bitops.h APIs on
s->batch_notify_vqs instead?
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2021-05-06 14:50 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-05 21:10 [PATCH 00/23] misc: Remove variable-length arrays on the stack Philippe Mathieu-Daudé
2021-05-05 21:10 ` [PATCH 01/23] block/vpc: Avoid dynamic stack allocation Philippe Mathieu-Daudé
2021-05-05 21:10 ` [PATCH 02/23] chardev/baum: Replace magic values by X_MAX / Y_MAX definitions Philippe Mathieu-Daudé
2021-05-05 21:12 ` Samuel Thibault
2021-05-05 21:24 ` Marc-André Lureau
2021-05-05 21:10 ` [PATCH 03/23] chardev/baum: Use definitions to avoid dynamic stack allocation Philippe Mathieu-Daudé
2021-05-05 21:14 ` Samuel Thibault
2021-05-05 21:27 ` Marc-André Lureau
2021-05-05 21:39 ` Samuel Thibault
2021-05-05 21:10 ` [PATCH 04/23] chardev/baum: Avoid " Philippe Mathieu-Daudé
2021-05-05 21:15 ` Samuel Thibault
2021-05-05 21:29 ` Marc-André Lureau
2021-05-05 21:10 ` [PATCH 05/23] io/channel-websock: Replace strlen(const_str) by sizeof(const_str) - 1 Philippe Mathieu-Daudé
2021-05-06 8:36 ` Daniel P. Berrangé
2021-05-05 21:10 ` [PATCH 06/23] hw/block/dataplane/virtio-blk: Avoid dynamic stack allocation Philippe Mathieu-Daudé
2021-05-06 8:53 ` Stefan Hajnoczi
2021-05-06 9:01 ` Philippe Mathieu-Daudé
2021-05-06 14:47 ` Stefan Hajnoczi [this message]
2021-05-06 15:19 ` Philippe Mathieu-Daudé
2021-05-10 9:09 ` Stefan Hajnoczi
2021-05-05 21:10 ` [PATCH 07/23] hw/block/nvme: Use definition to avoid " Philippe Mathieu-Daudé
2021-05-05 21:22 ` Keith Busch
2021-05-05 22:07 ` Philippe Mathieu-Daudé
2021-05-05 23:09 ` Eric Blake
2021-05-06 0:14 ` Warner Losh
2021-05-06 2:15 ` Keith Busch
2021-05-06 6:42 ` Philippe Mathieu-Daudé
2021-05-07 16:22 ` Richard Henderson
2021-05-06 6:27 ` Klaus Jensen
2021-05-07 15:59 ` Richard Henderson
2021-05-05 21:10 ` [PATCH 08/23] hw/block/nvme: Avoid " Philippe Mathieu-Daudé
2021-05-06 6:43 ` Klaus Jensen
2021-05-05 21:10 ` [PATCH 09/23] hw/net/e1000e_core: Use definition to avoid " Philippe Mathieu-Daudé
2021-05-06 3:35 ` Jason Wang
2021-05-07 16:29 ` Richard Henderson
2021-05-05 21:10 ` [PATCH 10/23] hw/ppc/pnv: Avoid " Philippe Mathieu-Daudé
2021-05-06 2:12 ` David Gibson
2021-05-05 21:10 ` [PATCH 11/23] hw/intc/xics: " Philippe Mathieu-Daudé
2021-05-06 2:13 ` David Gibson
2021-05-06 8:22 ` Greg Kurz
2021-05-06 13:52 ` Philippe Mathieu-Daudé
2021-05-05 21:10 ` [PATCH 12/23] hw/i386/multiboot: " Philippe Mathieu-Daudé
2021-05-07 16:27 ` Richard Henderson
2021-05-05 21:10 ` [PATCH 13/23] hw/usb/hcd-xhci: " Philippe Mathieu-Daudé
2021-05-07 16:34 ` Richard Henderson
2021-05-05 21:10 ` [PATCH 14/23] hw/usb/hcd-ohci: Use definition to avoid " Philippe Mathieu-Daudé
2021-05-07 16:39 ` Richard Henderson
2021-05-05 21:10 ` [PATCH 15/23] net: Avoid " Philippe Mathieu-Daudé
2021-05-06 2:15 ` David Gibson
2021-05-06 7:09 ` Jason Wang
2021-05-05 21:10 ` [PATCH 16/23] ui/curses: " Philippe Mathieu-Daudé
2021-05-07 16:42 ` Richard Henderson
2021-05-05 21:10 ` [PATCH 17/23] ui/spice-display: " Philippe Mathieu-Daudé
2021-05-05 21:10 ` [PATCH 18/23] ui/vnc-enc-hextile: Use definitions to avoid " Philippe Mathieu-Daudé
2021-05-07 16:46 ` Richard Henderson
2021-05-05 21:10 ` [PATCH 19/23] ui/vnc-enc-tight: Avoid " Philippe Mathieu-Daudé
2021-05-05 21:10 ` [PATCH 20/23] util/iov: " Philippe Mathieu-Daudé
2021-05-05 21:10 ` [PATCH 21/23] target/ppc/kvm: " Philippe Mathieu-Daudé
2021-05-05 21:10 ` Philippe Mathieu-Daudé
2021-05-06 2:16 ` David Gibson
2021-05-06 2:16 ` David Gibson
2021-05-05 21:10 ` [PATCH 22/23] tests/unit/test-vmstate: " Philippe Mathieu-Daudé
2021-05-07 16:52 ` Richard Henderson
2021-05-05 21:10 ` [PATCH 23/23] configure: Prohibit variable-length allocations by using -Wvla CPPFLAG Philippe Mathieu-Daudé
2021-05-07 16:56 ` Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YJQBd+lnvQnbK0XH@stefanha-x1.localdomain \
--to=stefanha@redhat.com \
--cc=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.