From: Richard Henderson <richard.henderson@linaro.org>
To: Laurent Vivier <laurent@vivier.eu>,
Peter Maydell <peter.maydell@linaro.org>
Cc: "QEMU Developers" <qemu-devel@nongnu.org>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>
Subject: Re: [PULL 18/40] linux-user: Fix types in uaccess.c
Date: Thu, 11 Mar 2021 07:25:09 -0600 [thread overview]
Message-ID: <d6a0be1e-ea56-1ab4-44bd-af0cfa1980af@linaro.org> (raw)
In-Reply-To: <b87c934e-ab46-d862-7fcc-736d6e3442b2@vivier.eu>
On 3/10/21 10:34 AM, Laurent Vivier wrote:
> Le 10/03/2021 à 16:48, Peter Maydell a écrit :
>> On Fri, 19 Feb 2021 at 09:21, Laurent Vivier <laurent@vivier.eu> wrote:
>>>
>>> Hi Richard,
>>>
>>> I think this commit is the cause of CID 1446711.
>>>
>>> There is no concistancy between the various declarations of unlock_user():
>>>
>>> bsd-user/qemu.h
>>>
>>> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr,
>>> long len)
>>>
>>> include/exec/softmmu-semi.h
>>>
>>> static void softmmu_unlock_user(CPUArchState *env, void *p, target_ulong addr,
>>> target_ulong len)
>>> ...
>>> #define unlock_user(s, args, len) softmmu_unlock_user(env, s, args, len)
>>>
>>> linux-user/qemu.h
>>>
>>> #ifndef DEBUG_REMAP
>>> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len)
>>> { }
>>> #else
>>> void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
>>> #endif
>>>
>>> To take a signed long here allows to unconditionnaly call the unlock_user() function after the
>>> syscall and not to copy the buffer if the value is negative.
>>
>> Hi; what was the conclusion here about how best to fix the Coverity issue?
>
> For what I know, there is no conclusion.
>
>> To save people looking it up, Coverity complains because in the
>> TARGET_NR_readlinkat case for linux-user we do:
>> void *p2;
>> p = lock_user_string(arg2);
>> p2 = lock_user(VERIFY_WRITE, arg3, arg4, 0);
>> if (!p || !p2) {
>> ret = -TARGET_EFAULT;
>> } else if (is_proc_myself((const char *)p, "exe")) {
>> char real[PATH_MAX], *temp;
>> temp = realpath(exec_path, real);
>> ret = temp == NULL ? get_errno(-1) : strlen(real) ;
>> snprintf((char *)p2, arg4, "%s", real);
>> } else {
>> ret = get_errno(readlinkat(arg1, path(p), p2, arg4));
>> }
>> unlock_user(p2, arg3, ret);
>> unlock_user(p, arg2, 0);
>>
>> and in the "ret = -TARGET_EFAULT" and also the get_errno(readlinkat(...))
>> codepaths we can set ret to a negative number, which Coverity thinks
>> is suspicious given that unlock_user()'s new prototype says it
>> is an unsigned value. It's correct to be suspicious, because we really
>> did change from doing a >=0 to a !=0 check on the length.
>>
>> Unless we really want to audit all the unlock_user() callsites,
>> going back to the previous semantics seems sensible.
>
> I agree with that.
This passing of an errno to unlock_user is... horrible. I guess we have to
revert to the signed type.
r~
next prev parent reply other threads:[~2021-03-11 13:26 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-16 16:16 [PULL 00/40] target-arm queue Peter Maydell
2021-02-16 16:16 ` [PULL 01/40] tcg: Introduce target-specific page data for user-only Peter Maydell
2021-02-16 16:16 ` [PULL 02/40] linux-user: Introduce PAGE_ANON Peter Maydell
2021-04-06 14:45 ` Laurent Vivier
2021-02-16 16:16 ` [PULL 03/40] exec: Use uintptr_t for guest_base Peter Maydell
2021-02-16 16:16 ` [PULL 04/40] exec: Use uintptr_t in cpu_ldst.h Peter Maydell
2021-02-16 16:16 ` [PULL 05/40] exec: Improve types for guest_addr_valid Peter Maydell
2021-02-16 16:16 ` [PULL 06/40] linux-user: Check for overflow in access_ok Peter Maydell
2021-02-16 16:16 ` [PULL 07/40] linux-user: Tidy VERIFY_READ/VERIFY_WRITE Peter Maydell
2021-02-16 16:16 ` [PULL 08/40] bsd-user: " Peter Maydell
2021-02-16 16:16 ` [PULL 09/40] linux-user: Do not use guest_addr_valid for h2g_valid Peter Maydell
2021-02-16 16:16 ` [PULL 10/40] linux-user: Fix guest_addr_valid vs reserved_va Peter Maydell
2021-02-16 16:16 ` [PULL 11/40] exec: Introduce cpu_untagged_addr Peter Maydell
2021-02-16 16:16 ` [PULL 12/40] exec: Use cpu_untagged_addr in g2h; split out g2h_untagged Peter Maydell
2021-02-16 16:16 ` [PULL 13/40] linux-user: Explicitly untag memory management syscalls Peter Maydell
2021-02-16 16:16 ` [PULL 14/40] linux-user: Use guest_range_valid in access_ok Peter Maydell
2021-02-16 16:16 ` [PULL 15/40] exec: Rename guest_{addr,range}_valid to *_untagged Peter Maydell
2021-02-16 16:16 ` [PULL 16/40] linux-user: Use cpu_untagged_addr in access_ok; split out *_untagged Peter Maydell
2021-02-16 16:16 ` [PULL 17/40] linux-user: Move lock_user et al out of line Peter Maydell
2021-02-16 16:16 ` [PULL 18/40] linux-user: Fix types in uaccess.c Peter Maydell
2021-02-19 9:21 ` Laurent Vivier
2021-03-10 15:48 ` Peter Maydell
2021-03-10 16:34 ` Laurent Vivier
2021-03-11 13:25 ` Richard Henderson [this message]
2021-02-16 16:16 ` [PULL 19/40] linux-user: Handle tags in lock_user/unlock_user Peter Maydell
2021-02-16 16:16 ` [PULL 20/40] linux-user/aarch64: Implement PR_TAGGED_ADDR_ENABLE Peter Maydell
2021-02-16 16:16 ` [PULL 21/40] target/arm: Improve gen_top_byte_ignore Peter Maydell
2021-02-16 16:16 ` [PULL 22/40] target/arm: Use the proper TBI settings for linux-user Peter Maydell
2021-02-16 16:16 ` [PULL 23/40] linux-user/aarch64: Implement PR_MTE_TCF and PR_MTE_TAG Peter Maydell
2021-02-16 16:16 ` [PULL 24/40] linux-user/aarch64: Implement PROT_MTE Peter Maydell
2021-02-16 16:16 ` [PULL 25/40] target/arm: Split out syndrome.h from internals.h Peter Maydell
2021-02-16 16:16 ` [PULL 26/40] linux-user/aarch64: Pass syndrome to EXC_*_ABORT Peter Maydell
2021-03-12 11:09 ` Laurent Vivier
2021-03-19 19:19 ` Laurent Vivier
2021-03-19 20:24 ` Richard Henderson
2021-02-16 16:16 ` [PULL 27/40] linux-user/aarch64: Signal SEGV_MTESERR for sync tag check fault Peter Maydell
2021-02-16 16:16 ` [PULL 28/40] linux-user/aarch64: Signal SEGV_MTEAERR for async tag check error Peter Maydell
2021-02-16 16:16 ` [PULL 29/40] target/arm: Add allocation tag storage for user mode Peter Maydell
2021-02-16 16:16 ` [PULL 30/40] target/arm: Enable MTE for user-only Peter Maydell
2021-02-16 16:16 ` [PULL 31/40] tests/tcg/aarch64: Add mte smoke tests Peter Maydell
2021-02-16 16:16 ` [PULL 32/40] hw/i2c: Implement NPCM7XX SMBus Module Single Mode Peter Maydell
2021-02-16 16:16 ` [PULL 33/40] hw/arm: Add I2C sensors for NPCM750 eval board Peter Maydell
2021-02-16 16:16 ` [PULL 34/40] hw/arm: Add I2C sensors and EEPROM for GSJ machine Peter Maydell
2021-02-16 16:16 ` [PULL 35/40] hw/i2c: Add a QTest for NPCM7XX SMBus Device Peter Maydell
2021-02-16 16:16 ` [PULL 36/40] hw/i2c: Implement NPCM7XX SMBus Module FIFO Mode Peter Maydell
2021-02-16 16:16 ` [PULL 37/40] MAINTAINERS: add myself maintainer for the clock framework Peter Maydell
2021-02-16 16:16 ` [PULL 38/40] hw/net: Add npcm7xx emc model Peter Maydell
2021-02-16 16:16 ` [PULL 39/40] hw/arm: " Peter Maydell
2021-02-16 16:16 ` [PULL 40/40] tests/qtests: Add npcm7xx emc model test Peter Maydell
2021-02-16 17:01 ` [PULL 00/40] target-arm queue no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6a0be1e-ea56-1ab4-44bd-af0cfa1980af@linaro.org \
--to=richard.henderson@linaro.org \
--cc=f4bug@amsat.org \
--cc=laurent@vivier.eu \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).