[Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment
@ 2014-02-24 13:51 Markus Armbruster
  2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Markus Armbruster @ 2014-02-24 13:51 UTC (permalink / raw)
  To: qemu-devel; +Cc: peter.maydell, alex.williamson

v2:
* Treat readlink() filling buffer as error (Alex)
* Use sizeof() rather than PATH_MAX (Peter)
* PATCH 2/2 unchanged

Markus Armbruster (2):
  vfio: Fix overrun after readlink() fills buffer completely
  pci-assign: Fix potential read beyond buffer on -EBUSY

 hw/i386/kvm/pci-assign.c | 1 +
 hw/misc/vfio.c           | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

-- 
1.8.1.4

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Qemu-devel] [PATCH v2 1/2] vfio: Fix overrun after readlink() fills buffer completely
  2014-02-24 13:51 [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Markus Armbruster
@ 2014-02-24 13:51 ` Markus Armbruster
  2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster
  2014-02-24 17:39 ` [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Alex Williamson
  2 siblings, 0 replies; 6+ messages in thread
From: Markus Armbruster @ 2014-02-24 13:51 UTC (permalink / raw)
  To: qemu-devel; +Cc: peter.maydell, alex.williamson

readlink() returns the number of bytes written to the buffer, and it
doesn't write a terminating null byte.  vfio_init() writes it itself.
Overruns the buffer when readlink() filled it completely.

Fix by treating readlink() filling the buffer completely as error,
like we do in pci-assign.c's assign_failed_examine().

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
 hw/misc/vfio.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index 8db182f..e669bbe 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -3681,10 +3681,10 @@ static int vfio_initfn(PCIDevice *pdev)
 
     strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1);
 
-    len = readlink(path, iommu_group_path, PATH_MAX);
-    if (len <= 0) {
+    len = readlink(path, iommu_group_path, sizeof(path));
+    if (len <= 0 || len >= sizeof(path)) {
         error_report("vfio: error no iommu_group for device");
-        return -errno;
+        return len < 0 ? -errno : ENAMETOOLONG;
     }
 
     iommu_group_path[len] = 0;
-- 
1.8.1.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [Qemu-devel] [PATCH v2 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY
  2014-02-24 13:51 [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Markus Armbruster
  2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
@ 2014-02-24 13:51 ` Markus Armbruster
  2014-02-24 17:39 ` [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Alex Williamson
  2 siblings, 0 replies; 6+ messages in thread
From: Markus Armbruster @ 2014-02-24 13:51 UTC (permalink / raw)
  To: qemu-devel; +Cc: peter.maydell, alex.williamson

readlink() doesn't write a terminating null byte.
assign_failed_examine() passes the unterminated string to strrchr().
Oops.  Terminate it.

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/i386/kvm/pci-assign.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
index 9686801..a825871 100644
--- a/hw/i386/kvm/pci-assign.c
+++ b/hw/i386/kvm/pci-assign.c
@@ -743,6 +743,7 @@ static void assign_failed_examine(AssignedDevice *dev)
         goto fail;
     }
 
+    driver[r] = 0;
     ns = strrchr(driver, '/');
     if (!ns) {
         goto fail;
-- 
1.8.1.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment
  2014-02-24 13:51 [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Markus Armbruster
  2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
  2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster
@ 2014-02-24 17:39 ` Alex Williamson
  2014-02-24 17:40   ` Peter Maydell
  2 siblings, 1 reply; 6+ messages in thread
From: Alex Williamson @ 2014-02-24 17:39 UTC (permalink / raw)
  To: Markus Armbruster; +Cc: peter.maydell, qemu-devel

On Mon, 2014-02-24 at 14:51 +0100, Markus Armbruster wrote:
> v2:
> * Treat readlink() filling buffer as error (Alex)
> * Use sizeof() rather than PATH_MAX (Peter)
> * PATCH 2/2 unchanged
> 
> Markus Armbruster (2):
>   vfio: Fix overrun after readlink() fills buffer completely
>   pci-assign: Fix potential read beyond buffer on -EBUSY
> 
>  hw/i386/kvm/pci-assign.c | 1 +
>  hw/misc/vfio.c           | 6 +++---
>  2 files changed, 4 insertions(+), 3 deletions(-)

For both:

Acked-by: Alex Williamson <alex.williamson@redhat.com>

Peter, if you want to grab these directly, feel free, otherwise I can
shepherd them in through vfio.  Thanks,

Alex

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment
  2014-02-24 17:39 ` [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Alex Williamson
@ 2014-02-24 17:40   ` Peter Maydell
  2014-02-24 17:49     ` Alex Williamson
  0 siblings, 1 reply; 6+ messages in thread
From: Peter Maydell @ 2014-02-24 17:40 UTC (permalink / raw)
  To: Alex Williamson; +Cc: Markus Armbruster, QEMU Developers

On 24 February 2014 17:39, Alex Williamson <alex.williamson@redhat.com> wrote:
> On Mon, 2014-02-24 at 14:51 +0100, Markus Armbruster wrote:
>> v2:
>> * Treat readlink() filling buffer as error (Alex)
>> * Use sizeof() rather than PATH_MAX (Peter)
>> * PATCH 2/2 unchanged
>>
>> Markus Armbruster (2):
>>   vfio: Fix overrun after readlink() fills buffer completely
>>   pci-assign: Fix potential read beyond buffer on -EBUSY
>>
>>  hw/i386/kvm/pci-assign.c | 1 +
>>  hw/misc/vfio.c           | 6 +++---
>>  2 files changed, 4 insertions(+), 3 deletions(-)
>
> For both:
>
> Acked-by: Alex Williamson <alex.williamson@redhat.com>
>
> Peter, if you want to grab these directly, feel free, otherwise I can
> shepherd them in through vfio.  Thanks,

Via vfio would be easiest for me.

thanks
-- PMM

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment
  2014-02-24 17:40   ` Peter Maydell
@ 2014-02-24 17:49     ` Alex Williamson
  0 siblings, 0 replies; 6+ messages in thread
From: Alex Williamson @ 2014-02-24 17:49 UTC (permalink / raw)
  To: Peter Maydell; +Cc: Markus Armbruster, QEMU Developers

On Mon, 2014-02-24 at 17:40 +0000, Peter Maydell wrote:
> On 24 February 2014 17:39, Alex Williamson <alex.williamson@redhat.com> wrote:
> > On Mon, 2014-02-24 at 14:51 +0100, Markus Armbruster wrote:
> >> v2:
> >> * Treat readlink() filling buffer as error (Alex)
> >> * Use sizeof() rather than PATH_MAX (Peter)
> >> * PATCH 2/2 unchanged
> >>
> >> Markus Armbruster (2):
> >>   vfio: Fix overrun after readlink() fills buffer completely
> >>   pci-assign: Fix potential read beyond buffer on -EBUSY
> >>
> >>  hw/i386/kvm/pci-assign.c | 1 +
> >>  hw/misc/vfio.c           | 6 +++---
> >>  2 files changed, 4 insertions(+), 3 deletions(-)
> >
> > For both:
> >
> > Acked-by: Alex Williamson <alex.williamson@redhat.com>
> >
> > Peter, if you want to grab these directly, feel free, otherwise I can
> > shepherd them in through vfio.  Thanks,
> 
> Via vfio would be easiest for me.

Ok

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-02-24 17:49 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-24 13:51 [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Markus Armbruster
2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster
2014-02-24 17:39 ` [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Alex Williamson
2014-02-24 17:40   ` Peter Maydell
2014-02-24 17:49     ` Alex Williamson

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.