From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
To: "Philippe Mathieu-Daudé" <f4bug@amsat.org>,
qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu,
pbonzini@redhat.com
Subject: Re: [PATCH v3 05/11] esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf()
Date: Thu, 1 Apr 2021 11:51:44 +0100 [thread overview]
Message-ID: <854e3d13-4610-8780-e27c-a7cb72b54dd1@ilande.co.uk> (raw)
In-Reply-To: <0c3900c2-fa72-47ea-d48c-625dd1b40734@amsat.org>
On 01/04/2021 10:34, Philippe Mathieu-Daudé wrote:
> On 4/1/21 9:49 AM, Mark Cave-Ayland wrote:
>> The const pointer returned by fifo8_pop_buf() lies directly within the array used
>> to model the FIFO. Building with address sanitisers enabled shows that if the
>
> Typo "sanitizers"
Ha. It's definitely "sanitiser" here in the UK (UK English) as opposed to "sanitizer"
(US English). I don't really mind either way, but I can fix this if it needs a v4
following Paolo's comments.
>> caller expects a minimum number of bytes present then if the FIFO is nearly full,
>> the caller may unexpectedly access past the end of the array.
>
> Why isn't it a problem with the other models? Because the pointed
> buffer is consumed directly?
Yes that's correct, which is why Fifo8 currently doesn't support wraparound. I
haven't analysed how other devices have used it but I would imagine there would be an
ASan hit if it were being misused this way.
>> Introduce esp_fifo_pop_buf() which takes a destination buffer and performs a
>> memcpy() in it to guarantee that the caller cannot overwrite the FIFO array and
>> update all callers to use it. Similarly add underflow protection similar to
>> esp_fifo_push() and esp_fifo_pop() so that instead of triggering an assert()
>> the operation becomes a no-op.
>
> This is OK for your ESP model.
>
> Now thinking loudly about the Fifo8 API, shouldn't this be part of it?
>
> Something prototype like:
>
> /**
> * fifo8_pop_buf:
> * @do_copy: If %true, also copy data to @bufptr.
> */
> size_t fifo8_pop_buf(Fifo8 *fifo,
> void **bufptr,
> size_t buflen,
> bool do_copy);
That could work, and may even allow support for wraparound in future. I suspect
things would become clearer after looking at the other Fifo8 users to see if this is
worth an API change/alternative API.
ATB,
Mark.
next prev parent reply other threads:[~2021-04-01 10:55 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-01 7:49 [PATCH v3 00/11] esp: fix asserts/segfaults discovered by fuzzer Mark Cave-Ayland
2021-04-01 7:49 ` [PATCH v3 01/11] esp: always check current_req is not NULL before use in DMA callbacks Mark Cave-Ayland
2021-04-01 7:49 ` [PATCH v3 02/11] esp: rework write_response() to avoid using the FIFO for DMA transactions Mark Cave-Ayland
2021-04-01 8:26 ` Philippe Mathieu-Daudé
2021-04-01 7:49 ` [PATCH v3 03/11] esp: consolidate esp_cmdfifo_push() into esp_fifo_push() Mark Cave-Ayland
2021-04-01 8:15 ` Philippe Mathieu-Daudé
2021-04-01 8:50 ` Mark Cave-Ayland
2021-04-01 9:16 ` Philippe Mathieu-Daudé
2021-04-01 7:49 ` [PATCH v3 04/11] esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop() Mark Cave-Ayland
2021-04-01 8:15 ` Philippe Mathieu-Daudé
2021-04-01 7:49 ` [PATCH v3 05/11] esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf() Mark Cave-Ayland
2021-04-01 9:34 ` Philippe Mathieu-Daudé
2021-04-01 10:51 ` Mark Cave-Ayland [this message]
2021-04-01 18:05 ` Philippe Mathieu-Daudé
2021-04-01 7:49 ` [PATCH v3 06/11] esp: ensure cmdfifo is not empty and current_dev is non-NULL Mark Cave-Ayland
2021-04-01 8:17 ` Philippe Mathieu-Daudé
2021-04-01 7:49 ` [PATCH v3 07/11] esp: don't underflow cmdfifo in do_cmd() Mark Cave-Ayland
2021-04-01 8:19 ` Philippe Mathieu-Daudé
2021-04-01 8:51 ` Mark Cave-Ayland
2021-04-01 7:49 ` [PATCH v3 08/11] esp: don't overflow cmdfifo in get_cmd() Mark Cave-Ayland
2021-04-01 8:19 ` Philippe Mathieu-Daudé
2021-04-01 8:56 ` Mark Cave-Ayland
2021-04-01 7:49 ` [PATCH v3 09/11] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size Mark Cave-Ayland
2021-04-01 7:49 ` [PATCH v3 10/11] esp: don't reset async_len directly in esp_select() if cancelling request Mark Cave-Ayland
2021-04-01 7:49 ` [PATCH v3 11/11] tests/qtest: add tests for am53c974 device Mark Cave-Ayland
2021-04-01 16:55 ` Alexander Bulekov
2021-04-02 7:29 ` Mark Cave-Ayland
2021-04-01 17:00 ` [PATCH v3 00/11] esp: fix asserts/segfaults discovered by fuzzer Alexander Bulekov
2021-04-02 7:35 ` Mark Cave-Ayland
2021-04-02 16:20 ` [PATCH] tests/qtest: add one more test for the am53c974 Alexander Bulekov
2021-04-03 14:38 ` Mark Cave-Ayland
2021-04-07 12:08 ` Mark Cave-Ayland
2021-04-07 13:04 ` Mark Cave-Ayland
2021-04-07 14:49 ` Alexander Bulekov
2021-04-07 15:11 ` Mark Cave-Ayland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=854e3d13-4610-8780-e27c-a7cb72b54dd1@ilande.co.uk \
--to=mark.cave-ayland@ilande.co.uk \
--cc=alxndr@bu.edu \
--cc=f4bug@amsat.org \
--cc=laurent@vivier.eu \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).