From patchwork Fri Oct 19 20:38:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Liam Merwick X-Patchwork-Id: 10650151 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 64F7213B6 for ; Fri, 19 Oct 2018 20:40:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 53E52284EE for ; Fri, 19 Oct 2018 20:40:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 34E0628518; Fri, 19 Oct 2018 20:40:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9B4F728500 for ; Fri, 19 Oct 2018 20:40:11 +0000 (UTC) Received: from localhost ([::1]:52641 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gDbZ4-0000Mb-GZ for patchwork-qemu-devel@patchwork.kernel.org; Fri, 19 Oct 2018 16:40:10 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54622) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gDbXt-0007rs-0g for qemu-devel@nongnu.org; Fri, 19 Oct 2018 16:38:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gDbXs-0002PA-4V for qemu-devel@nongnu.org; Fri, 19 Oct 2018 16:38:56 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:48058) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gDbXn-00026v-GI; Fri, 19 Oct 2018 16:38:51 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w9JKYZAg148316; Fri, 19 Oct 2018 20:38:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=j1MAtuctf9NC9Sgc9HczKUgu0IGumVjk1UzAJ0bQ6aM=; b=qXr5yAFkoGdU3etiA4z7nAtAei3FpvMMXn9mH/FHiClLjtlodlXqu/GQhgWFGqAuYEJN f9gjjWGsoNEggTJj8KQng18JUDkdAuHeKoVmre50YluPTZqIY1R2d55J2Vcxtdopaz8N pA2tR07TFQTY4do5Ms3fHe8tadFcVJN6ibUU/8k6/RLPoSJ7UuJ7niKCq6NJVfpMfMgu 7Yg1Zs23amCAIIqEnDl1ZjJ1TZTnrFLKEvNk9bywcZ8hXuE8PQ65sjAGQDjYKFyDQyph 8gwkR6qNcHKfwSsRlBLqzdOSqgsGqtCYdM0J3iOjN9FZffEXT7tpHeNiCN3o4j7jjPRI JQ== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2120.oracle.com with ESMTP id 2n38nqp1rt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 19 Oct 2018 20:38:48 +0000 Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w9JKclsl024282 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 19 Oct 2018 20:38:47 GMT Received: from abhmp0004.oracle.com (abhmp0004.oracle.com [141.146.116.10]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w9JKclBU019327; Fri, 19 Oct 2018 20:38:47 GMT Received: from ol7.uk.oracle.com (/10.175.186.240) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 19 Oct 2018 13:38:47 -0700 From: Liam Merwick To: qemu-devel@nongnu.org Date: Fri, 19 Oct 2018 21:38:58 +0100 Message-Id: <1539981546-10596-1-git-send-email-Liam.Merwick@oracle.com> X-Mailer: git-send-email 1.8.3.1 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9051 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810190183 X-MIME-Autoconverted: from 8bit to quoted-printable by aserp2120.oracle.com id w9JKYZAg148316 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 141.146.126.78 Subject: [Qemu-devel] [PATCH v4 0/8] off-by-one and NULL pointer accesses detected by static analysis X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, jsnow@redhat.com, qemu-block@nongnu.org, mreitz@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Below are a number of fixes to some off-by-one, read outside array bounds, and NULL pointer accesses detected by an internal Oracle static analysis tool (Parfait). https://labs.oracle.com/pls/apex/f?p=labs:49:::::P49_PROJECT_ID:13 I have also included a patch to add a command-line option to configure to select if AVX2 is used or not (keeping the existing behaviour by default). My motivation was avoiding an issue with the static analysis tool but NetSpectre was announced as I was working on this and I felt it may have more general uses. v1 -> v2 Based on feedback from Eric Blake: patch2: reworded commit message to clarify issue patch6: Reverted common qlist routines and added assert to qlist_dump instead patch7: Fixed incorrect logic patch8: Added QEMU_BUILD_BUG_ON to catch future Ń–nstance at compile-time v2 -> v3 Based on feedback from Eric Blake: patch6: removed double space from commit message patch8: removed unnecessary comment and updated QEMU_BUILD_BUG_ON to use ARRAY_SIZE Added Eric's R-b to patches 6,7,8 v3 -> v4 Based on feedback from Max Reitz: patch2: Added R-b from John Snow patch3: fixed blk_get_attached_dev_id() instead of checking return value patch4: switched to assert() patch5: numerous changes based on feedback from Max patch6: updated commit message patch7: (was patch8): Added Max's R-b patch8: (new): patch fixing NULL pointer dereference in kvm_arch_init_vcpu() I also dropped the 'io: potential unnecessary check in qio_channel_command_new_spawn()' patch from v3 - it was correct but of no benefit to staic analysis checking Liam Merwick (8): configure: Provide option to explicitly disable AVX2 job: Fix off-by-one assert checks for JobSTT and JobVerbTable block: Null pointer dereference in blk_root_get_parent_desc() qemu-img: assert block_job_get() does not return NULL in img_commit() block: Fix potential Null pointer dereferences in vvfat.c block: dump_qlist() may dereference a Null pointer qcow2: Read outside array bounds in qcow2_pre_write_overlap_check() kvm: Potential NULL pointer dereference in kvm_arch_init_vcpu() block/block-backend.c | 6 +++++- block/qapi.c | 2 ++ block/qcow2-refcount.c | 18 ++++++++++-------- block/vvfat.c | 33 ++++++++++++++++++++++++++++----- configure | 11 +++++++++-- dtc | 2 +- job.c | 4 ++-- qemu-img.c | 1 + target/i386/kvm.c | 4 +++- 9 files changed, 61 insertions(+), 20 deletions(-)