From: Daniele Buono <dbuono@linux.vnet.ibm.com>
To: dbuono@linux.vnet.ibm.com, qemu-devel@nongnu.org
Cc: Fam Zheng <fam@euphon.net>, Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH v3 5/9] scsi: fix overflow in scsi_disk_new_request_dump
Date: Thu, 5 Nov 2020 17:19:01 -0500 [thread overview]
Message-ID: <20201105221905.1350-6-dbuono@linux.vnet.ibm.com> (raw)
In-Reply-To: <20201105221905.1350-1-dbuono@linux.vnet.ibm.com>
scsi_disk_new_request_dump is used to dump the content of a scsi request
for tracing. It does that by decoding the command to get the size of the
command buffer, and then printing the content of such buffer on a string.
When using gcc with link-time optimizations, it warns that the argument of
malloc may be too large.
In function 'scsi_disk_new_request_dump',
inlined from 'scsi_new_request' at ../qemu-cfi-v3/hw/scsi/scsi-disk.c:2588:9:
../qemu-cfi-v3/hw/scsi/scsi-disk.c:2562:17: warning: argument 1 value '18446744073709551612' exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]
line_buffer = g_malloc(len * 5 + 1);
^
../qemu-cfi-v3/hw/scsi/scsi-disk.c: In function 'scsi_new_request':
/usr/include/glib-2.0/glib/gmem.h:78:10: note: in a call to allocation function 'g_malloc' declared here
gpointer g_malloc (gsize n_bytes) G_GNUC_MALLOC G_GNUC_ALLOC_SIZE(1);
len is a signed integer filled up by scsi_cdb_length which can return -1
if it can't decode the command. In this case, g_malloc would probably fail.
However, an unknown command here is a possibility, and since this is used for
tracing, we should try to print the command anyway, for debugging purposes.
Since knowing the size of the command in the buffer is impossible (could not
decode the command), only print the header by setting len=1 if scsi_cdb_length
returned -1
Signed-off-by: Daniele Buono <dbuono@linux.vnet.ibm.com>
---
If we had a way to know the (maximum) size of the buffer, we could
alternatively dump the whole buffer, instead of dumping only the
first byte. Not sure if this can be done, nor if it is considered
a better option.
We could also produce an error instead/in addition to just dumping
the buffer, if the command cannot be decoded.
hw/scsi/scsi-disk.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index e859534eaf..d70dfdd9dc 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -2559,6 +2559,10 @@ static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf)
int len = scsi_cdb_length(buf);
char *line_buffer, *p;
+ if (len < 0) {
+ len = 1;
+ }
+
line_buffer = g_malloc(len * 5 + 1);
for (i = 0, p = line_buffer; i < len; i++) {
--
2.17.1
next prev parent reply other threads:[~2020-11-05 22:27 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-05 22:18 [PATCH v3 0/9] Add support for Control-Flow Integrity Daniele Buono
2020-11-05 22:18 ` [PATCH v3 1/9] fuzz: Make fork_fuzz.ld compatible with LLVM's LLD Daniele Buono
2020-11-06 14:50 ` Alexander Bulekov
2020-11-19 22:06 ` Daniele Buono
2020-12-13 2:51 ` Alexander Bulekov
2020-11-05 22:18 ` [PATCH v3 2/9] s390x: fix clang 11 warnings in cpu_models.c Daniele Buono
2020-11-09 11:12 ` Cornelia Huck
2020-11-05 22:18 ` [PATCH v3 3/9] hw/usb: reorder fields in UASStatus Daniele Buono
2020-11-06 14:28 ` [PATCH-for-5.2? " Philippe Mathieu-Daudé
2020-11-19 16:16 ` Daniele Buono
2021-01-14 8:17 ` Marc-André Lureau
2021-01-14 19:33 ` Daniele Buono
2021-01-18 11:38 ` Philippe Mathieu-Daudé
2021-01-18 16:09 ` Gerd Hoffmann
2020-11-05 22:19 ` [PATCH v3 4/9] s390x: Avoid variable size warning in ipl.h Daniele Buono
2020-11-09 11:14 ` Cornelia Huck
2020-11-05 22:19 ` Daniele Buono [this message]
2020-11-06 14:32 ` [PATCH-for-5.2? v3 5/9] scsi: fix overflow in scsi_disk_new_request_dump Philippe Mathieu-Daudé
2020-11-06 14:43 ` Philippe Mathieu-Daudé
2020-11-09 13:26 ` Philippe Mathieu-Daudé
2020-11-19 16:44 ` Daniele Buono
2020-11-05 22:19 ` [PATCH v3 6/9] configure,meson: add option to enable LTO Daniele Buono
2020-11-05 22:19 ` [PATCH v3 7/9] cfi: Initial support for cfi-icall in QEMU Daniele Buono
2020-11-05 22:19 ` [PATCH v3 8/9] check-block: enable iotests with cfi-icall Daniele Buono
2020-11-05 22:19 ` [PATCH v3 9/9] configure,meson: support Control-Flow Integrity Daniele Buono
2020-11-06 12:47 ` [PATCH v3 0/9] Add support for " Cornelia Huck
2020-11-06 13:35 ` Daniele Buono
2020-11-06 14:58 ` Alexander Bulekov
2020-11-19 21:58 ` Daniele Buono
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201105221905.1350-6-dbuono@linux.vnet.ibm.com \
--to=dbuono@linux.vnet.ibm.com \
--cc=fam@euphon.net \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.