From: Peter Maydell <peter.maydell@linaro.org>
To: Laurent Vivier <laurent@vivier.eu>
Cc: "Richard Henderson" <richard.henderson@linaro.org>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>
Subject: Re: [PULL 18/40] linux-user: Fix types in uaccess.c
Date: Wed, 10 Mar 2021 15:48:50 +0000 [thread overview]
Message-ID: <CAFEAcA87oLDyFJovHvppa+zwO=XJoFOt3Q5V9Y5+7BU+zDQsVw@mail.gmail.com> (raw)
In-Reply-To: <ec051472-7511-62da-d485-17f7573aa460@vivier.eu>
On Fri, 19 Feb 2021 at 09:21, Laurent Vivier <laurent@vivier.eu> wrote:
>
> Hi Richard,
>
> I think this commit is the cause of CID 1446711.
>
> There is no concistancy between the various declarations of unlock_user():
>
> bsd-user/qemu.h
>
> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr,
> long len)
>
> include/exec/softmmu-semi.h
>
> static void softmmu_unlock_user(CPUArchState *env, void *p, target_ulong addr,
> target_ulong len)
> ...
> #define unlock_user(s, args, len) softmmu_unlock_user(env, s, args, len)
>
> linux-user/qemu.h
>
> #ifndef DEBUG_REMAP
> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len)
> { }
> #else
> void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
> #endif
>
> To take a signed long here allows to unconditionnaly call the unlock_user() function after the
> syscall and not to copy the buffer if the value is negative.
Hi; what was the conclusion here about how best to fix the Coverity issue?
To save people looking it up, Coverity complains because in the
TARGET_NR_readlinkat case for linux-user we do:
void *p2;
p = lock_user_string(arg2);
p2 = lock_user(VERIFY_WRITE, arg3, arg4, 0);
if (!p || !p2) {
ret = -TARGET_EFAULT;
} else if (is_proc_myself((const char *)p, "exe")) {
char real[PATH_MAX], *temp;
temp = realpath(exec_path, real);
ret = temp == NULL ? get_errno(-1) : strlen(real) ;
snprintf((char *)p2, arg4, "%s", real);
} else {
ret = get_errno(readlinkat(arg1, path(p), p2, arg4));
}
unlock_user(p2, arg3, ret);
unlock_user(p, arg2, 0);
and in the "ret = -TARGET_EFAULT" and also the get_errno(readlinkat(...))
codepaths we can set ret to a negative number, which Coverity thinks
is suspicious given that unlock_user()'s new prototype says it
is an unsigned value. It's correct to be suspicious, because we really
did change from doing a >=0 to a !=0 check on the length.
Unless we really want to audit all the unlock_user() callsites,
going back to the previous semantics seems sensible.
thanks
-- PMM
next prev parent reply other threads:[~2021-03-10 15:51 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-16 16:16 [PULL 00/40] target-arm queue Peter Maydell
2021-02-16 16:16 ` [PULL 01/40] tcg: Introduce target-specific page data for user-only Peter Maydell
2021-02-16 16:16 ` [PULL 02/40] linux-user: Introduce PAGE_ANON Peter Maydell
2021-04-06 14:45 ` Laurent Vivier
2021-02-16 16:16 ` [PULL 03/40] exec: Use uintptr_t for guest_base Peter Maydell
2021-02-16 16:16 ` [PULL 04/40] exec: Use uintptr_t in cpu_ldst.h Peter Maydell
2021-02-16 16:16 ` [PULL 05/40] exec: Improve types for guest_addr_valid Peter Maydell
2021-02-16 16:16 ` [PULL 06/40] linux-user: Check for overflow in access_ok Peter Maydell
2021-02-16 16:16 ` [PULL 07/40] linux-user: Tidy VERIFY_READ/VERIFY_WRITE Peter Maydell
2021-02-16 16:16 ` [PULL 08/40] bsd-user: " Peter Maydell
2021-02-16 16:16 ` [PULL 09/40] linux-user: Do not use guest_addr_valid for h2g_valid Peter Maydell
2021-02-16 16:16 ` [PULL 10/40] linux-user: Fix guest_addr_valid vs reserved_va Peter Maydell
2021-02-16 16:16 ` [PULL 11/40] exec: Introduce cpu_untagged_addr Peter Maydell
2021-02-16 16:16 ` [PULL 12/40] exec: Use cpu_untagged_addr in g2h; split out g2h_untagged Peter Maydell
2021-02-16 16:16 ` [PULL 13/40] linux-user: Explicitly untag memory management syscalls Peter Maydell
2021-02-16 16:16 ` [PULL 14/40] linux-user: Use guest_range_valid in access_ok Peter Maydell
2021-02-16 16:16 ` [PULL 15/40] exec: Rename guest_{addr,range}_valid to *_untagged Peter Maydell
2021-02-16 16:16 ` [PULL 16/40] linux-user: Use cpu_untagged_addr in access_ok; split out *_untagged Peter Maydell
2021-02-16 16:16 ` [PULL 17/40] linux-user: Move lock_user et al out of line Peter Maydell
2021-02-16 16:16 ` [PULL 18/40] linux-user: Fix types in uaccess.c Peter Maydell
2021-02-19 9:21 ` Laurent Vivier
2021-03-10 15:48 ` Peter Maydell [this message]
2021-03-10 16:34 ` Laurent Vivier
2021-03-11 13:25 ` Richard Henderson
2021-02-16 16:16 ` [PULL 19/40] linux-user: Handle tags in lock_user/unlock_user Peter Maydell
2021-02-16 16:16 ` [PULL 20/40] linux-user/aarch64: Implement PR_TAGGED_ADDR_ENABLE Peter Maydell
2021-02-16 16:16 ` [PULL 21/40] target/arm: Improve gen_top_byte_ignore Peter Maydell
2021-02-16 16:16 ` [PULL 22/40] target/arm: Use the proper TBI settings for linux-user Peter Maydell
2021-02-16 16:16 ` [PULL 23/40] linux-user/aarch64: Implement PR_MTE_TCF and PR_MTE_TAG Peter Maydell
2021-02-16 16:16 ` [PULL 24/40] linux-user/aarch64: Implement PROT_MTE Peter Maydell
2021-02-16 16:16 ` [PULL 25/40] target/arm: Split out syndrome.h from internals.h Peter Maydell
2021-02-16 16:16 ` [PULL 26/40] linux-user/aarch64: Pass syndrome to EXC_*_ABORT Peter Maydell
2021-03-12 11:09 ` Laurent Vivier
2021-03-19 19:19 ` Laurent Vivier
2021-03-19 20:24 ` Richard Henderson
2021-02-16 16:16 ` [PULL 27/40] linux-user/aarch64: Signal SEGV_MTESERR for sync tag check fault Peter Maydell
2021-02-16 16:16 ` [PULL 28/40] linux-user/aarch64: Signal SEGV_MTEAERR for async tag check error Peter Maydell
2021-02-16 16:16 ` [PULL 29/40] target/arm: Add allocation tag storage for user mode Peter Maydell
2021-02-16 16:16 ` [PULL 30/40] target/arm: Enable MTE for user-only Peter Maydell
2021-02-16 16:16 ` [PULL 31/40] tests/tcg/aarch64: Add mte smoke tests Peter Maydell
2021-02-16 16:16 ` [PULL 32/40] hw/i2c: Implement NPCM7XX SMBus Module Single Mode Peter Maydell
2021-02-16 16:16 ` [PULL 33/40] hw/arm: Add I2C sensors for NPCM750 eval board Peter Maydell
2021-02-16 16:16 ` [PULL 34/40] hw/arm: Add I2C sensors and EEPROM for GSJ machine Peter Maydell
2021-02-16 16:16 ` [PULL 35/40] hw/i2c: Add a QTest for NPCM7XX SMBus Device Peter Maydell
2021-02-16 16:16 ` [PULL 36/40] hw/i2c: Implement NPCM7XX SMBus Module FIFO Mode Peter Maydell
2021-02-16 16:16 ` [PULL 37/40] MAINTAINERS: add myself maintainer for the clock framework Peter Maydell
2021-02-16 16:16 ` [PULL 38/40] hw/net: Add npcm7xx emc model Peter Maydell
2021-02-16 16:16 ` [PULL 39/40] hw/arm: " Peter Maydell
2021-02-16 16:16 ` [PULL 40/40] tests/qtests: Add npcm7xx emc model test Peter Maydell
2021-02-16 17:01 ` [PULL 00/40] target-arm queue no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFEAcA87oLDyFJovHvppa+zwO=XJoFOt3Q5V9Y5+7BU+zDQsVw@mail.gmail.com' \
--to=peter.maydell@linaro.org \
--cc=f4bug@amsat.org \
--cc=laurent@vivier.eu \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).