* [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment
@ 2014-02-24 13:51 Markus Armbruster
2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Markus Armbruster @ 2014-02-24 13:51 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell, alex.williamson
v2:
* Treat readlink() filling buffer as error (Alex)
* Use sizeof() rather than PATH_MAX (Peter)
* PATCH 2/2 unchanged
Markus Armbruster (2):
vfio: Fix overrun after readlink() fills buffer completely
pci-assign: Fix potential read beyond buffer on -EBUSY
hw/i386/kvm/pci-assign.c | 1 +
hw/misc/vfio.c | 6 +++---
2 files changed, 4 insertions(+), 3 deletions(-)
--
1.8.1.4
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Qemu-devel] [PATCH v2 1/2] vfio: Fix overrun after readlink() fills buffer completely
2014-02-24 13:51 [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Markus Armbruster
@ 2014-02-24 13:51 ` Markus Armbruster
2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster
2014-02-24 17:39 ` [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Alex Williamson
2 siblings, 0 replies; 6+ messages in thread
From: Markus Armbruster @ 2014-02-24 13:51 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell, alex.williamson
readlink() returns the number of bytes written to the buffer, and it
doesn't write a terminating null byte. vfio_init() writes it itself.
Overruns the buffer when readlink() filled it completely.
Fix by treating readlink() filling the buffer completely as error,
like we do in pci-assign.c's assign_failed_examine().
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
hw/misc/vfio.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index 8db182f..e669bbe 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -3681,10 +3681,10 @@ static int vfio_initfn(PCIDevice *pdev)
strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1);
- len = readlink(path, iommu_group_path, PATH_MAX);
- if (len <= 0) {
+ len = readlink(path, iommu_group_path, sizeof(path));
+ if (len <= 0 || len >= sizeof(path)) {
error_report("vfio: error no iommu_group for device");
- return -errno;
+ return len < 0 ? -errno : ENAMETOOLONG;
}
iommu_group_path[len] = 0;
--
1.8.1.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Qemu-devel] [PATCH v2 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY
2014-02-24 13:51 [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Markus Armbruster
2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
@ 2014-02-24 13:51 ` Markus Armbruster
2014-02-24 17:39 ` [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Alex Williamson
2 siblings, 0 replies; 6+ messages in thread
From: Markus Armbruster @ 2014-02-24 13:51 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell, alex.williamson
readlink() doesn't write a terminating null byte.
assign_failed_examine() passes the unterminated string to strrchr().
Oops. Terminate it.
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/i386/kvm/pci-assign.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
index 9686801..a825871 100644
--- a/hw/i386/kvm/pci-assign.c
+++ b/hw/i386/kvm/pci-assign.c
@@ -743,6 +743,7 @@ static void assign_failed_examine(AssignedDevice *dev)
goto fail;
}
+ driver[r] = 0;
ns = strrchr(driver, '/');
if (!ns) {
goto fail;
--
1.8.1.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment
2014-02-24 13:51 [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Markus Armbruster
2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster
@ 2014-02-24 17:39 ` Alex Williamson
2014-02-24 17:40 ` Peter Maydell
2 siblings, 1 reply; 6+ messages in thread
From: Alex Williamson @ 2014-02-24 17:39 UTC (permalink / raw)
To: Markus Armbruster; +Cc: peter.maydell, qemu-devel
On Mon, 2014-02-24 at 14:51 +0100, Markus Armbruster wrote:
> v2:
> * Treat readlink() filling buffer as error (Alex)
> * Use sizeof() rather than PATH_MAX (Peter)
> * PATCH 2/2 unchanged
>
> Markus Armbruster (2):
> vfio: Fix overrun after readlink() fills buffer completely
> pci-assign: Fix potential read beyond buffer on -EBUSY
>
> hw/i386/kvm/pci-assign.c | 1 +
> hw/misc/vfio.c | 6 +++---
> 2 files changed, 4 insertions(+), 3 deletions(-)
For both:
Acked-by: Alex Williamson <alex.williamson@redhat.com>
Peter, if you want to grab these directly, feel free, otherwise I can
shepherd them in through vfio. Thanks,
Alex
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment
2014-02-24 17:39 ` [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Alex Williamson
@ 2014-02-24 17:40 ` Peter Maydell
2014-02-24 17:49 ` Alex Williamson
0 siblings, 1 reply; 6+ messages in thread
From: Peter Maydell @ 2014-02-24 17:40 UTC (permalink / raw)
To: Alex Williamson; +Cc: Markus Armbruster, QEMU Developers
On 24 February 2014 17:39, Alex Williamson <alex.williamson@redhat.com> wrote:
> On Mon, 2014-02-24 at 14:51 +0100, Markus Armbruster wrote:
>> v2:
>> * Treat readlink() filling buffer as error (Alex)
>> * Use sizeof() rather than PATH_MAX (Peter)
>> * PATCH 2/2 unchanged
>>
>> Markus Armbruster (2):
>> vfio: Fix overrun after readlink() fills buffer completely
>> pci-assign: Fix potential read beyond buffer on -EBUSY
>>
>> hw/i386/kvm/pci-assign.c | 1 +
>> hw/misc/vfio.c | 6 +++---
>> 2 files changed, 4 insertions(+), 3 deletions(-)
>
> For both:
>
> Acked-by: Alex Williamson <alex.williamson@redhat.com>
>
> Peter, if you want to grab these directly, feel free, otherwise I can
> shepherd them in through vfio. Thanks,
Via vfio would be easiest for me.
thanks
-- PMM
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment
2014-02-24 17:40 ` Peter Maydell
@ 2014-02-24 17:49 ` Alex Williamson
0 siblings, 0 replies; 6+ messages in thread
From: Alex Williamson @ 2014-02-24 17:49 UTC (permalink / raw)
To: Peter Maydell; +Cc: Markus Armbruster, QEMU Developers
On Mon, 2014-02-24 at 17:40 +0000, Peter Maydell wrote:
> On 24 February 2014 17:39, Alex Williamson <alex.williamson@redhat.com> wrote:
> > On Mon, 2014-02-24 at 14:51 +0100, Markus Armbruster wrote:
> >> v2:
> >> * Treat readlink() filling buffer as error (Alex)
> >> * Use sizeof() rather than PATH_MAX (Peter)
> >> * PATCH 2/2 unchanged
> >>
> >> Markus Armbruster (2):
> >> vfio: Fix overrun after readlink() fills buffer completely
> >> pci-assign: Fix potential read beyond buffer on -EBUSY
> >>
> >> hw/i386/kvm/pci-assign.c | 1 +
> >> hw/misc/vfio.c | 6 +++---
> >> 2 files changed, 4 insertions(+), 3 deletions(-)
> >
> > For both:
> >
> > Acked-by: Alex Williamson <alex.williamson@redhat.com>
> >
> > Peter, if you want to grab these directly, feel free, otherwise I can
> > shepherd them in through vfio. Thanks,
>
> Via vfio would be easiest for me.
Ok
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-02-24 17:49 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-24 13:51 [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Markus Armbruster
2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 1/2] vfio: Fix overrun after readlink() fills buffer completely Markus Armbruster
2014-02-24 13:51 ` [Qemu-devel] [PATCH v2 2/2] pci-assign: Fix potential read beyond buffer on -EBUSY Markus Armbruster
2014-02-24 17:39 ` [Qemu-devel] [PATCH v2 0/2] Two buffer overruns in device assignment Alex Williamson
2014-02-24 17:40 ` Peter Maydell
2014-02-24 17:49 ` Alex Williamson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.