From: P J P <ppandit@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>,
Ameya More <ameya.more@oracle.com>, Fam Zheng <famz@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] lsi53c895a: check message length value
Date: Fri, 26 Oct 2018 15:06:45 +0530 (IST) [thread overview]
Message-ID: <nycvar.YSQ.7.76.1810261325110.8270@xnncv> (raw)
In-Reply-To: <9677a72a-612b-fe4d-cd19-bb5f2e803c58@redhat.com>
+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
| > - int msg_len;
| > + uint8_t msg_len;
|
| Not wrong per se, but it's also not clear why it's needed. I understand
| that you want to switch from signed to unsigned, but it is not mentioned
| in the commit message.
Changed to uint8_t because IIUC 'msg_len' is likely be < LSI_MAX_MSGIN_LEN=8.
And uint32_t seems rather large for it.
| The switch to 8-bit, and below from VMSTATE_INT32 to VMSTATE_UINT8, is
| wrong because it changes the format of the live migration stream.
I see.
| I'm not sure it's appropriate to check for out of bounds reads here,
| because if s->msg_len is greater than LSI_MAX_MSGIN_LEN, then this test
| doesn't exclude you've already had an out of bounds write before.
| Indeed the msg_len is checked in lsi_add_msg_byte in order to avoid out
| of bounds accesses in either lsi_add_msg_byte or lsi_do_msgin. You
| could assert here that the variable is in range, I guess.
Okay.
| However, the out of bounds s->msg_len can actually happen in one other
| case: namely, if a malicious live migration stream includes a bogus
| s->msg_len. Such live migration stream should be rejected; the fix for
| that is to add a lsi_post_load function, point to it in
| vmstate_lsi_scsi, and check there for s->msg_len <= LSI_MAX_MSGIN_LEN.
Okay, sending a revised patch v1 in a bit.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
prev parent reply other threads:[~2018-10-26 9:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-25 20:09 [Qemu-devel] [PATCH] lsi53c895a: check message length value P J P
2018-10-25 20:40 ` Ameya More
2018-10-26 9:25 ` P J P
2018-10-26 14:01 ` Mark Kanda
2018-10-26 18:37 ` P J P
2018-10-26 18:45 ` Mark Kanda
2018-10-26 19:08 ` P J P
2018-10-25 23:18 ` Paolo Bonzini
2018-10-26 9:36 ` P J P [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.YSQ.7.76.1810261325110.8270@xnncv \
--to=ppandit@redhat.com \
--cc=ameya.more@oracle.com \
--cc=famz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.