All of lore.kernel.org
 help / color / mirror / Atom feed
From: Markus Armbruster <armbru@redhat.com>
To: Jes.Sorensen@redhat.com
Cc: pbonzini@redhat.com, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 1/7] Introduce strtosz() library function to convert a string to a byte count.
Date: Mon, 11 Oct 2010 10:51:03 +0200	[thread overview]
Message-ID: <m3tykt3yfc.fsf@blackfin.pond.sub.org> (raw)
In-Reply-To: <1286529360-5715-2-git-send-email-Jes.Sorensen@redhat.com> (Jes Sorensen's message of "Fri, 8 Oct 2010 11:15:54 +0200")

Jes.Sorensen@redhat.com writes:

> From: Jes Sorensen <Jes.Sorensen@redhat.com>
>
> strtosz() returns -1 on error.
>
> v2 renamed from strtobytes() to strtosz() as suggested by Markus.
>
> Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
> ---
>  cutils.c      |   39 +++++++++++++++++++++++++++++++++++++++
>  qemu-common.h |    1 +
>  vl.c          |   31 ++++++++++---------------------
>  3 files changed, 50 insertions(+), 21 deletions(-)
>
> diff --git a/cutils.c b/cutils.c
> index 5883737..ee591c5 100644
> --- a/cutils.c
> +++ b/cutils.c
> @@ -283,3 +283,42 @@ int fcntl_setfl(int fd, int flag)
>  }
>  #endif
>  
> +/*
> + * Convert string to bytes, allowing either K/k for KB, M/m for MB,
> + * G/g for GB or T/t for TB. Default without any postfix is MB.
> + * End pointer will be returned in *end, if end is valid.
> + * Return -1 on error.
> + */
> +ssize_t strtosz(const char *nptr, char **end)
> +{
> +    int64_t value;

long long, please, because that's what strtoll() returns.

> +    char *endptr;
> +
> +    value = strtoll(nptr, &endptr, 0);
> +    switch (*endptr++) {
> +    case 'K':
> +    case 'k':
> +        value <<= 10;
> +        break;
> +    case 0:
> +    case 'M':
> +    case 'm':
> +        value <<= 20;
> +        break;
> +    case 'G':
> +    case 'g':
> +        value <<= 30;
> +        break;
> +    case 'T':
> +    case 't':
> +        value <<= 40;
> +        break;
> +    default:
> +        value = -1;
> +    }
> +
> +    if (end)
> +        *end = endptr;
> +
> +    return value;

Casts value to ssize_t, which might truncate.

> +}

Sloppy use of strtoll().

Both tolerable as long as the patch doesn't make things worse.  Let's
see:

> diff --git a/qemu-common.h b/qemu-common.h
> index 81aafa0..0a062d4 100644
> --- a/qemu-common.h
> +++ b/qemu-common.h
> @@ -153,6 +153,7 @@ time_t mktimegm(struct tm *tm);
>  int qemu_fls(int i);
>  int qemu_fdatasync(int fd);
>  int fcntl_setfl(int fd, int flag);
> +ssize_t strtosz(const char *nptr, char **end);
>  
>  /* path.c */
>  void init_paths(const char *prefix);
> diff --git a/vl.c b/vl.c
> index df414ef..6043fa2 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -734,16 +734,13 @@ static void numa_add(const char *optarg)
>          if (get_param_value(option, 128, "mem", optarg) == 0) {
>              node_mem[nodenr] = 0;
>          } else {
> -            value = strtoull(option, &endptr, 0);
> -            switch (*endptr) {
> -            case 0: case 'M': case 'm':
> -                value <<= 20;
> -                break;
> -            case 'G': case 'g':
> -                value <<= 30;
> -                break;
> +            ssize_t sval;
> +            sval = strtosz(option, NULL);
> +            if (sval < 0) {
> +                fprintf(stderr, "qemu: invalid numa mem size: %s\n", optarg);
> +                exit(1);

                        Before                          After
Invalid number          silently interpreted as zero    no change
Overflow                silently capped to ULLONG_MAX   LLONG_MAX, then
                                                        trunc ssize_t
Invalid size suffix     silently ignored                rejected

>              }
> -            node_mem[nodenr] = value;
> +            node_mem[nodenr] = sval;
>          }
>          if (get_param_value(option, 128, "cpus", optarg) == 0) {
>              node_cpumask[nodenr] = 0;
> @@ -2163,18 +2160,10 @@ int main(int argc, char **argv, char **envp)
>                  exit(0);
>                  break;
>              case QEMU_OPTION_m: {
> -                uint64_t value;
> -                char *ptr;
> +                ssize_t value;
>  
> -                value = strtoul(optarg, &ptr, 10);
> -                switch (*ptr) {
> -                case 0: case 'M': case 'm':
> -                    value <<= 20;
> -                    break;
> -                case 'G': case 'g':
> -                    value <<= 30;
> -                    break;
> -                default:
> +                value = strtosz(optarg, NULL);
> +                if (value < 0) {
>                      fprintf(stderr, "qemu: invalid ram size: %s\n", optarg);
>                      exit(1);
>                  }

                        Before                          After
Invalid number          silently interpreted as zero    no change
Overflow                silently capped to ULLONG_MAX   LLONG_MAX, then
                                                        trunc ssize_t
Invalid size suffix     rejected                        no change

A bit more context:


                   /* On 32-bit hosts, QEMU is limited by virtual address space */
                   if (value > (2047 << 20) && HOST_LONG_BITS == 32) {
                       fprintf(stderr, "qemu: at most 2047 MB RAM can be simulated\n");
                       exit(1);
                   }
                   if (value != (uint64_t)(ram_addr_t)value) {
                       fprintf(stderr, "qemu: ram size too large\n");
                       exit(1);
                   }
                   ram_size = value;
                   break;

I'm afraid you break both conditionals for 32 bit hosts.

On such hosts, ssize_t is 32 bits wide.  strtosz() parses 64 bits
internally, but truncates to 32 bits silently.

The old code reliably rejects values larger than 2047MiB.  Your
truncation can change a value exceeding the limit to one within the
limit.  First conditional becomes unreliable.

The second conditional becomes useless: it sign-extends a non-negative
32 bit integer value to 64 bit, then truncates back, and checks the
value stays the same.  It trivially does.


I strongly recommend to make strtosz() sane from the start, not in a
later patch: proper error checking, including proper handling of
overflow.

Perhaps squashing 1-3/7 would get us there, or at least closer.

  reply	other threads:[~2010-10-11  8:51 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-10-08  9:15 [Qemu-devel] [PATCH v4 0/7] Introduce strtosz and make use of it Jes.Sorensen
2010-10-08  9:15 ` [Qemu-devel] [PATCH 1/7] Introduce strtosz() library function to convert a string to a byte count Jes.Sorensen
2010-10-11  8:51   ` Markus Armbruster [this message]
2010-10-11 12:45     ` Jes Sorensen
2010-10-11 14:39       ` Markus Armbruster
2010-10-08  9:15 ` [Qemu-devel] [PATCH 2/7] Support human unit formats in strtosz, eg. 1.0G Jes.Sorensen
2010-10-08  9:37   ` Stefan Weil
2010-10-08  9:15 ` [Qemu-devel] [PATCH 3/7] Add more error handling to strtosz() Jes.Sorensen
2010-10-08  9:38   ` Stefan Weil
2010-10-08  9:15 ` [Qemu-devel] [PATCH 4/7] Add support for 'o' octet (bytes) format as monitor parameter Jes.Sorensen
2010-10-08  9:15 ` [Qemu-devel] [PATCH 5/7] Switch migrate_set_speed() to take an 'o' argument rather than a float Jes.Sorensen
2010-10-11  9:03   ` Markus Armbruster
2010-10-11  9:26     ` Paolo Bonzini
2010-10-11  9:58     ` Jes Sorensen
2010-10-08  9:15 ` [Qemu-devel] [PATCH 6/7] Clarify default values in migration speed argument in monitor Jes.Sorensen
2010-10-08 16:21   ` [Qemu-devel] " Paolo Bonzini
2010-10-11  6:45     ` Jes Sorensen
2010-10-08  9:16 ` [Qemu-devel] [PATCH 7/7] Remove obsolete 'f' double parameter type Jes.Sorensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m3tykt3yfc.fsf@blackfin.pond.sub.org \
    --to=armbru@redhat.com \
    --cc=Jes.Sorensen@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.