From: Klaus Jensen <its@irrelevant.dk>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Fam Zheng <fam@euphon.net>, Kevin Wolf <kwolf@redhat.com>,
Eduardo Habkost <ehabkost@redhat.com>,
Qemu-block <qemu-block@nongnu.org>,
Heinrich Schuchardt <xypron.glpk@gmx.de>,
QEMU Developers <qemu-devel@nongnu.org>,
Max Reitz <mreitz@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Klaus Jensen <k.jensen@samsung.com>,
Keith Busch <kbusch@kernel.org>
Subject: Re: [PULL 06/23] hw/nvme: namespace parameter for EUI-64
Date: Mon, 9 Aug 2021 12:44:00 +0200 [thread overview]
Message-ID: <YREG8BuwApcdqUKu@apples.localdomain> (raw)
In-Reply-To: <CAFEAcA-Xodpue0bUBbG++-CcRPV-+EJh=qw_23aGPEh3sAk0Ow@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4289 bytes --]
On Aug 9 11:18, Peter Maydell wrote:
> On Tue, 29 Jun 2021 at 19:48, Klaus Jensen <its@irrelevant.dk> wrote:
> >
> > From: Heinrich Schuchardt <xypron.glpk@gmx.de>
> >
> > The EUI-64 field is the only identifier for NVMe namespaces in UEFI device
> > paths. Add a new namespace property "eui64", that provides the user the
> > option to specify the EUI-64.
>
> Hi; Coverity complains about some uses of uninitialized data in this
> code (CID 1458835 1459295 1459580). I think the bug was present in
> the previous version of this function, but this was the last change
> to touch it...
>
> > diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
> > index 7dea64b72e6a..762bb82e3cac 100644
> > --- a/hw/nvme/ctrl.c
> > +++ b/hw/nvme/ctrl.c
> > @@ -4426,19 +4426,19 @@ static uint16_t nvme_identify_ns_descr_list(NvmeCtrl *n, NvmeRequest *req)
> > NvmeIdentify *c = (NvmeIdentify *)&req->cmd;
> > uint32_t nsid = le32_to_cpu(c->nsid);
> > uint8_t list[NVME_IDENTIFY_DATA_SIZE] = {};
> > -
> > - struct data {
> > - struct {
> > - NvmeIdNsDescr hdr;
> > - uint8_t v[NVME_NIDL_UUID];
> > - } uuid;
> > - struct {
> > - NvmeIdNsDescr hdr;
> > - uint8_t v;
> > - } csi;
> > - };
> > -
> > - struct data *ns_descrs = (struct data *)list;
> > + uint8_t *pos = list;
> > + struct {
> > + NvmeIdNsDescr hdr;
> > + uint8_t v[NVME_NIDL_UUID];
> > + } QEMU_PACKED uuid;
> > + struct {
> > + NvmeIdNsDescr hdr;
> > + uint64_t v;
> > + } QEMU_PACKED eui64;
> > + struct {
> > + NvmeIdNsDescr hdr;
> > + uint8_t v;
> > + } QEMU_PACKED csi;
>
> Here we define locals 'uuid', 'eui64', 'csi', without an initializer.
>
> > trace_pci_nvme_identify_ns_descr_list(nsid);
> >
> > @@ -4452,17 +4452,29 @@ static uint16_t nvme_identify_ns_descr_list(NvmeCtrl *n, NvmeRequest *req)
> > }
> >
> > /*
> > - * Because the NGUID and EUI64 fields are 0 in the Identify Namespace data
> > - * structure, a Namespace UUID (nidt = 3h) must be reported in the
> > - * Namespace Identification Descriptor. Add the namespace UUID here.
> > + * If the EUI-64 field is 0 and the NGUID field is 0, the namespace must
> > + * provide a valid Namespace UUID in the Namespace Identification Descriptor
> > + * data structure. QEMU does not yet support setting NGUID.
> > */
> > - ns_descrs->uuid.hdr.nidt = NVME_NIDT_UUID;
> > - ns_descrs->uuid.hdr.nidl = NVME_NIDL_UUID;
> > - memcpy(&ns_descrs->uuid.v, ns->params.uuid.data, NVME_NIDL_UUID);
> > + uuid.hdr.nidt = NVME_NIDT_UUID;
> > + uuid.hdr.nidl = NVME_NIDL_UUID;
> > + memcpy(uuid.v, ns->params.uuid.data, NVME_NIDL_UUID);
>
> Here we fill in some fields of uuid, but we don't touch uuid.hdr.rsvd2[],
> which remains thus 2 bytes of uninitialized junk from our stack.
>
> > + memcpy(pos, &uuid, sizeof(uuid));
>
> Here we copy all of uuid to a buffer which we're going to hand
> to the guest, so we've just given it two bytes of QEMU stack data
> that it shouldn't really be able to look at.
>
> > + pos += sizeof(uuid);
>
> >
> > - ns_descrs->csi.hdr.nidt = NVME_NIDT_CSI;
> > - ns_descrs->csi.hdr.nidl = NVME_NIDL_CSI;
> > - ns_descrs->csi.v = ns->csi;
> > + if (ns->params.eui64) {
> > + eui64.hdr.nidt = NVME_NIDT_EUI64;
> > + eui64.hdr.nidl = NVME_NIDL_EUI64;
> > + eui64.v = cpu_to_be64(ns->params.eui64);
> > + memcpy(pos, &eui64, sizeof(eui64));
> > + pos += sizeof(eui64);
> > + }
> > +
> > + csi.hdr.nidt = NVME_NIDT_CSI;
> > + csi.hdr.nidl = NVME_NIDL_CSI;
> > + csi.v = ns->csi;
> > + memcpy(pos, &csi, sizeof(csi));
> > + pos += sizeof(csi);
>
> We do the same thing for the rsvd2[] bytes in csi.hdr and eui64.hdr.
>
> > return nvme_c2h(n, list, sizeof(list), req);
> > }
>
> Explicitly zero-initializing uuid, csi, eui64 with "= { }" would
> be the most robust fix. If you think it's worth avoiding "zero
> init and then overwrite 90% of the fields anyway" then you could
> explicitly zero the .hdr.rsvd2 bytes.
>
Thanks Peter,
Fix posted!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2021-08-09 10:48 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-29 18:47 [PULL 00/23] hw/nvme patches Klaus Jensen
2021-06-29 18:47 ` [PULL 01/23] hw/nvme: fix style Klaus Jensen
2021-06-29 18:47 ` [PULL 02/23] hw/nvme: add identify namespace flbas/mc enums Klaus Jensen
2021-06-29 18:47 ` [PULL 03/23] hw/nvme: fix lbaf formats initialization Klaus Jensen
2021-06-29 18:47 ` [PULL 04/23] hw/nvme: add param to control auto zone transitioning to zone state closed Klaus Jensen
2021-06-29 18:47 ` [PULL 05/23] hw/nvme: fix csi field for cns 0x00 and 0x11 Klaus Jensen
2021-06-29 18:47 ` [PULL 06/23] hw/nvme: namespace parameter for EUI-64 Klaus Jensen
2021-08-09 10:18 ` Peter Maydell
2021-08-09 10:44 ` Klaus Jensen [this message]
2021-06-29 18:47 ` [PULL 07/23] hw/nvme: default for namespace EUI-64 Klaus Jensen
2021-06-29 18:47 ` [PULL 08/23] hw/nvme: reimplement flush to allow cancellation Klaus Jensen
2021-06-29 18:47 ` [PULL 09/23] hw/nvme: add nvme_block_status_all helper Klaus Jensen
2021-06-29 18:47 ` [PULL 10/23] hw/nvme: reimplement dsm to allow cancellation Klaus Jensen
2021-06-29 18:47 ` [PULL 11/23] hw/nvme: save reftag when generating pi Klaus Jensen
2021-06-29 18:47 ` [PULL 12/23] hw/nvme: remove assert from nvme_get_zone_by_slba Klaus Jensen
2021-06-29 18:47 ` [PULL 13/23] hw/nvme: use prinfo directly in nvme_check_prinfo and nvme_dif_check Klaus Jensen
2021-06-29 18:47 ` [PULL 14/23] hw/nvme: add dw0/1 to the req completion trace event Klaus Jensen
2021-06-29 18:47 ` [PULL 15/23] hw/nvme: reimplement the copy command to allow aio cancellation Klaus Jensen
2021-06-29 18:47 ` [PULL 16/23] hw/nvme: reimplement zone reset to allow cancellation Klaus Jensen
2021-06-29 18:47 ` [PULL 17/23] hw/nvme: reimplement format nvm " Klaus Jensen
2021-06-29 18:47 ` [PULL 18/23] Partially revert "hw/block/nvme: drain namespaces on sq deletion" Klaus Jensen
2021-06-29 18:47 ` [PULL 19/23] hw/nvme: fix endianess conversion and add controller list Klaus Jensen
2021-06-29 18:47 ` [PULL 20/23] hw/nvme: documentation fix Klaus Jensen
2021-06-29 18:47 ` [PULL 21/23] hw/nvme: fix missing check for PMR capability Klaus Jensen
2021-06-29 18:47 ` [PULL 22/23] hw/nvme: fix pin-based interrupt behavior (again) Klaus Jensen
2021-06-29 18:47 ` [PULL 23/23] hw/nvme: add 'zoned.zasl' to documentation Klaus Jensen
2021-07-01 9:07 ` [PULL 00/23] hw/nvme patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YREG8BuwApcdqUKu@apples.localdomain \
--to=its@irrelevant.dk \
--cc=ehabkost@redhat.com \
--cc=fam@euphon.net \
--cc=k.jensen@samsung.com \
--cc=kbusch@kernel.org \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.