From patchwork Mon Nov 5 21:38:35 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liam Merwick X-Patchwork-Id: 10669245 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7237C1803 for ; Mon, 5 Nov 2018 21:41:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6D50229E02 for ; Mon, 5 Nov 2018 21:41:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6151729E39; Mon, 5 Nov 2018 21:41:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 05A9629E02 for ; Mon, 5 Nov 2018 21:41:13 +0000 (UTC) Received: from localhost ([::1]:37703 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJmcS-0000b7-Tl for patchwork-qemu-devel@patchwork.kernel.org; Mon, 05 Nov 2018 16:41:12 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36162) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJmaL-0007ER-0o for qemu-devel@nongnu.org; Mon, 05 Nov 2018 16:39:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gJmaH-0003Ae-AL for qemu-devel@nongnu.org; Mon, 05 Nov 2018 16:39:00 -0500 Received: from userp2130.oracle.com ([156.151.31.86]:50422) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gJma0-0002ef-Aq; Mon, 05 Nov 2018 16:38:42 -0500 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wA5LSwYO143534; Mon, 5 Nov 2018 21:38:32 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2018-07-02; bh=+u2a8j+hC6NFYKwgmD02CX8t2PANM+eYkiXiC/CBpk8=; b=QYoDBYkht/ENCz0k2mZsuBT+Sz5P4jYz9Vr2NS9xlDJ+PW0wCbBHi60rMYAz4Z/6F2cM 0OT7b9LyGHRBmw01Qux2R+kP0Hkhjqpnfi4FAF5//filXByDhFxI6YaK1xG105p/mnDl aPgTieFgQzJutLfrEAlQcG0M7O4Av9xMxMmlpc8axJ23vf4l86Qeeba9NOnTzKDsEo/Z TsfdWZc9ZSYxOldIiyRPr4xngWFwchKt8jvPj+uPwX9F1ofPRBTq8CJQZ0rKeanWlQp+ CcaIZal4Pd9uDbw0pzbOgvVLFPNY887Sq+bvqxMBU/tg6mIPXDpM7DsXjKZJ0Vw9MOLM 3w== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp2130.oracle.com with ESMTP id 2nh33tsr4j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Nov 2018 21:38:31 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wA5LcPEL027258 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 5 Nov 2018 21:38:26 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id wA5LcPx8001493; Mon, 5 Nov 2018 21:38:25 GMT Received: from ol7.uk.oracle.com (/10.175.201.67) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 05 Nov 2018 13:38:24 -0800 From: Liam Merwick To: qemu-devel@nongnu.org Date: Mon, 5 Nov 2018 21:38:35 +0000 Message-Id: <1541453919-25973-2-git-send-email-Liam.Merwick@oracle.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1541453919-25973-1-git-send-email-Liam.Merwick@oracle.com> References: <1541453919-25973-1-git-send-email-Liam.Merwick@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9068 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=822 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1811050190 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 156.151.31.86 Subject: [Qemu-devel] [PATCH v5 1/5] job: Fix off-by-one assert checks for JobSTT and JobVerbTable X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, jsnow@redhat.com, qemu-block@nongnu.org, mreitz@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP In the assert checking the array dereference of JobVerbTable[verb] in job_apply_verb() the check of the index, verb, allows an overrun because an index equal to the array size is permitted. Similarly, in the assert check of JobSTT[s0][s1] with index s1 in job_state_transition(), an off-by-one overrun is not flagged either. This is not a run-time issue as there are no callers actually passing in the max value. Signed-off-by: Liam Merwick Reviewed-by: Darren Kenny Reviewed-by: Mark Kanda Reviewed-by: Eric Blake Reviewed-by: John Snow --- job.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/job.c b/job.c index c65e01bbfa34..da8e4b7bf2f3 100644 --- a/job.c +++ b/job.c @@ -159,7 +159,7 @@ bool job_is_internal(Job *job) static void job_state_transition(Job *job, JobStatus s1) { JobStatus s0 = job->status; - assert(s1 >= 0 && s1 <= JOB_STATUS__MAX); + assert(s1 >= 0 && s1 < JOB_STATUS__MAX); trace_job_state_transition(job, job->ret, JobSTT[s0][s1] ? "allowed" : "disallowed", JobStatus_str(s0), JobStatus_str(s1)); @@ -174,7 +174,7 @@ static void job_state_transition(Job *job, JobStatus s1) int job_apply_verb(Job *job, JobVerb verb, Error **errp) { JobStatus s0 = job->status; - assert(verb >= 0 && verb <= JOB_VERB__MAX); + assert(verb >= 0 && verb < JOB_VERB__MAX); trace_job_apply_verb(job, JobStatus_str(s0), JobVerb_str(verb), JobVerbTable[verb][s0] ? "allowed" : "prohibited"); if (JobVerbTable[verb][s0]) { From patchwork Mon Nov 5 21:38:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liam Merwick X-Patchwork-Id: 10669255 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5E5091709 for ; Mon, 5 Nov 2018 21:42:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 58A1A29EC5 for ; Mon, 5 Nov 2018 21:42:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4CB4229E75; Mon, 5 Nov 2018 21:42:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id C764F29E73 for ; Mon, 5 Nov 2018 21:42:27 +0000 (UTC) Received: from localhost ([::1]:37710 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJmde-0001Vt-NN for patchwork-qemu-devel@patchwork.kernel.org; Mon, 05 Nov 2018 16:42:26 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36222) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJmaP-0007IB-M5 for qemu-devel@nongnu.org; Mon, 05 Nov 2018 16:39:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gJmaK-0003FZ-W5 for qemu-devel@nongnu.org; Mon, 05 Nov 2018 16:39:04 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:33208) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gJma2-0002fQ-9W; Mon, 05 Nov 2018 16:38:46 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wA5LT6lh151034; Mon, 5 Nov 2018 21:38:33 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2018-07-02; bh=GBfEG6hiPGfZgKKXOuIRw2Qvjg/3+UvEwe9egiv3Umo=; b=doa+R/vuzJ8EP/KksNLWmWsGfI1yvIaxjLAIeASe0ZWxyOC/n64WLBm7lL/ksfkr68vc WrrKsyv5AEzUav8wNveus5mNZEOeh7ERdI/oX+5PyeWrc5sJ6HvNd4p8TjQ5R5d2yS+u ZvvTNJzbf+hIT1Iw0Ds38Bg2Q+EhaBU2pC0ayd4i9anWAknfFCTZ0BH77LmMfhuThpvk ZdmdPYTLInK6L3nhccAu1XsyU0wv9EP7Ufx0yCISRn135sChDMZrqR31XPolRvznOMRm PFCJvQOt0glpa24gYIk8HK5OrPJ4xZz2n8v1t+c8anT3AbuwNNx/z6ECEAsxIdDN4Fne 3A== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp2120.oracle.com with ESMTP id 2nh3mphpyb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Nov 2018 21:38:33 +0000 Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wA5LcQAs024631 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 5 Nov 2018 21:38:27 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id wA5LcQlI023741; Mon, 5 Nov 2018 21:38:26 GMT Received: from ol7.uk.oracle.com (/10.175.201.67) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 05 Nov 2018 13:38:26 -0800 From: Liam Merwick To: qemu-devel@nongnu.org Date: Mon, 5 Nov 2018 21:38:36 +0000 Message-Id: <1541453919-25973-3-git-send-email-Liam.Merwick@oracle.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1541453919-25973-1-git-send-email-Liam.Merwick@oracle.com> References: <1541453919-25973-1-git-send-email-Liam.Merwick@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9068 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=974 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1811050190 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 141.146.126.78 Subject: [Qemu-devel] [PATCH v5 2/5] block: Null pointer dereference in blk_root_get_parent_desc() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, jsnow@redhat.com, qemu-block@nongnu.org, mreitz@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP The dev_id returned by the call to blk_get_attached_dev_id() in blk_root_get_parent_desc() can be NULL (an internal call to object_get_canonical_path may have returned NULL). Instead of just checking this case before before dereferencing, adjust blk_get_attached_dev_id() to return the empty string if no object path can be found (similar to the case when blk->dev is NULL and an empty string is returned). Signed-off-by: Liam Merwick Reviewed-by: Max Reitz --- block/block-backend.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/block/block-backend.c b/block/block-backend.c index dc0cd5772413..a2061a565024 100644 --- a/block/block-backend.c +++ b/block/block-backend.c @@ -918,7 +918,8 @@ char *blk_get_attached_dev_id(BlockBackend *blk) } else if (dev->id) { return g_strdup(dev->id); } - return object_get_canonical_path(OBJECT(dev)); + + return object_get_canonical_path(OBJECT(dev)) ?: g_strdup(""); } /* From patchwork Mon Nov 5 21:38:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liam Merwick X-Patchwork-Id: 10669261 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 72CED1803 for ; Mon, 5 Nov 2018 21:44:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6DAAA2937F for ; Mon, 5 Nov 2018 21:44:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 60FBB293C5; Mon, 5 Nov 2018 21:44:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 12CC62937F for ; Mon, 5 Nov 2018 21:44:03 +0000 (UTC) Received: from localhost ([::1]:37717 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJmfD-00050u-3Y for patchwork-qemu-devel@patchwork.kernel.org; Mon, 05 Nov 2018 16:44:03 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36217) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJmaP-0007I9-La for qemu-devel@nongnu.org; Mon, 05 Nov 2018 16:39:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gJmaK-0003FX-W6 for qemu-devel@nongnu.org; Mon, 05 Nov 2018 16:39:04 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:33150) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gJmaD-0002bZ-8d; Mon, 05 Nov 2018 16:38:53 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wA5LTLIN151165; Mon, 5 Nov 2018 21:38:29 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2018-07-02; bh=LCabLPEXKuLbVVQLrvaxJTNHHStl4YEsPsTIYNQKZK8=; b=a/DI6Ego1MyzN0SN2mQboZR2rUsB7B+783bIiacTls7JGXq9czoCV3iRK6OPS8oHEihH LzI+u6Jkvg/orq79Nli8tbcoBiqwCm+6upnv20LbhnvTVxYpaBcelh1Z+MZatsx9cCz9 xOCYUwSrQ7A7UIsLOQQdyz0AGpYUXtxxDiHaJ8kWJ8QWTtELF1zv5uFBeXzuuzfXNbvb 353rKNUw09CKSelAI6Hv3f7ETRtjHUpyKJA3GYTQr6PVs/08PxgqWq8amkUn4jAzk40i OvqAyWmTfFhQmp4yL/IoCS0TA2L/wnGRkb/uZjjoulg+xTbkDAzsqoPi2ptRxwFcwv6D tQ== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2120.oracle.com with ESMTP id 2nh3mphpy7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Nov 2018 21:38:29 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wA5LcShj027350 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 5 Nov 2018 21:38:29 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id wA5LcS4b000418; Mon, 5 Nov 2018 21:38:28 GMT Received: from ol7.uk.oracle.com (/10.175.201.67) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 05 Nov 2018 13:38:28 -0800 From: Liam Merwick To: qemu-devel@nongnu.org Date: Mon, 5 Nov 2018 21:38:37 +0000 Message-Id: <1541453919-25973-4-git-send-email-Liam.Merwick@oracle.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1541453919-25973-1-git-send-email-Liam.Merwick@oracle.com> References: <1541453919-25973-1-git-send-email-Liam.Merwick@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9068 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1811050190 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 141.146.126.78 Subject: [Qemu-devel] [PATCH v5 3/5] qemu-img: assert block_job_get() does not return NULL in img_commit() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, jsnow@redhat.com, qemu-block@nongnu.org, mreitz@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Although the function block_job_get() can return NULL, it would be a serious bug if it did so (because the job yields before executing anything (if it started successfully); but otherwise, commit_active_start() would have returned an error). However, as a precaution, before dereferencing the 'job' pointer in img_commit() assert it is not NULL. Signed-off-by: Liam Merwick Reviewed-by: Max Reitz --- qemu-img.c | 1 + 1 file changed, 1 insertion(+) diff --git a/qemu-img.c b/qemu-img.c index b12f4cd19b0a..457aa152296b 100644 --- a/qemu-img.c +++ b/qemu-img.c @@ -1029,6 +1029,7 @@ static int img_commit(int argc, char **argv) } job = block_job_get("commit"); + assert(job); run_block_job(job, &local_err); if (local_err) { goto unref_backing; From patchwork Mon Nov 5 21:38:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liam Merwick X-Patchwork-Id: 10669259 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 441371803 for ; Mon, 5 Nov 2018 21:43:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3E06B29E63 for ; Mon, 5 Nov 2018 21:43:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 322F829E79; Mon, 5 Nov 2018 21:43:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 97BE429E63 for ; Mon, 5 Nov 2018 21:43:08 +0000 (UTC) Received: from localhost ([::1]:37714 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJmeJ-0003hV-LR for patchwork-qemu-devel@patchwork.kernel.org; Mon, 05 Nov 2018 16:43:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36166) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJmaL-0007ET-1s for qemu-devel@nongnu.org; Mon, 05 Nov 2018 16:39:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gJmaH-0003Af-AR for qemu-devel@nongnu.org; Mon, 05 Nov 2018 16:39:00 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:33180) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gJmZy-0002cv-AL; Mon, 05 Nov 2018 16:38:40 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wA5LT3eb151003; Mon, 5 Nov 2018 21:38:31 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2018-07-02; bh=HKoibhI/5sD5PGNfIGsaQG6RgX324uDfu8RirhPc6xI=; b=Yfq0l5robuOx453kYrr3hSDGvxL1npBdgH5dwLQKEqnDD9wRgorew24ekvQsuMWntVKT N1AliL9j8IfZu0fHh6arNSx4Y6fFzd4Ve5oOxMX5z0bP47rMUrwJ11YVYp8vNMGLgnDS L18tkBQWSMQQYKph4Ww99WqxqdXCvV3Ii+lKN1N/PQunpKAu0vf25FiM3yEJ3yLJ2c2J 9SYGXmlpjPfShT7/3LnZajy6KZ7YwyUEvjIsfsXzMZoT4jBRCzUXUAUD206NcXaVfyDv plumHbCCVTWV4n6kIGRixuP7EtyjMdqVmI/BB67oE+mJ47zwxQLajiRlEXsY/4aCobBy ig== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2120.oracle.com with ESMTP id 2nh3mphpy9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Nov 2018 21:38:31 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wA5LcUZQ027402 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 5 Nov 2018 21:38:30 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id wA5LcTVq000430; Mon, 5 Nov 2018 21:38:30 GMT Received: from ol7.uk.oracle.com (/10.175.201.67) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 05 Nov 2018 13:38:29 -0800 From: Liam Merwick To: qemu-devel@nongnu.org Date: Mon, 5 Nov 2018 21:38:38 +0000 Message-Id: <1541453919-25973-5-git-send-email-Liam.Merwick@oracle.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1541453919-25973-1-git-send-email-Liam.Merwick@oracle.com> References: <1541453919-25973-1-git-send-email-Liam.Merwick@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9068 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=3 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=769 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1811050190 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 141.146.126.78 Subject: [Qemu-devel] [PATCH v5 4/5] block: Fix potential Null pointer dereferences in vvfat.c X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, jsnow@redhat.com, qemu-block@nongnu.org, mreitz@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP The calls to find_mapping_for_cluster() may return NULL but it isn't always checked for before dereferencing the value returned. Additionally, add some asserts to cover cases where NULL can't be returned but which might not be obvious at first glance. Signed-off-by: Liam Merwick Reviewed-by: Max Reitz --- block/vvfat.c | 50 ++++++++++++++++++++++++++++++++++---------------- 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/block/vvfat.c b/block/vvfat.c index fc41841a5c3c..263274d9739a 100644 --- a/block/vvfat.c +++ b/block/vvfat.c @@ -100,30 +100,26 @@ static inline void array_free(array_t* array) /* does not automatically grow */ static inline void* array_get(array_t* array,unsigned int index) { assert(index < array->next); + assert(array->pointer); return array->pointer + index * array->item_size; } -static inline int array_ensure_allocated(array_t* array, int index) +static inline void array_ensure_allocated(array_t *array, int index) { if((index + 1) * array->item_size > array->size) { int new_size = (index + 32) * array->item_size; array->pointer = g_realloc(array->pointer, new_size); - if (!array->pointer) - return -1; + assert(array->pointer); memset(array->pointer + array->size, 0, new_size - array->size); array->size = new_size; array->next = index + 1; } - - return 0; } static inline void* array_get_next(array_t* array) { unsigned int next = array->next; - if (array_ensure_allocated(array, next) < 0) - return NULL; - + array_ensure_allocated(array, next); array->next = next + 1; return array_get(array, next); } @@ -2428,16 +2424,13 @@ static int commit_direntries(BDRVVVFATState* s, direntry_t* direntry = array_get(&(s->directory), dir_index); uint32_t first_cluster = dir_index == 0 ? 0 : begin_of_direntry(direntry); mapping_t* mapping = find_mapping_for_cluster(s, first_cluster); - int factor = 0x10 * s->sectors_per_cluster; int old_cluster_count, new_cluster_count; - int current_dir_index = mapping->info.dir.first_dir_index; - int first_dir_index = current_dir_index; + int current_dir_index; + int first_dir_index; int ret, i; uint32_t c; -DLOG(fprintf(stderr, "commit_direntries for %s, parent_mapping_index %d\n", mapping->path, parent_mapping_index)); - assert(direntry); assert(mapping); assert(mapping->begin == first_cluster); @@ -2445,6 +2438,15 @@ DLOG(fprintf(stderr, "commit_direntries for %s, parent_mapping_index %d\n", mapp assert(mapping->mode & MODE_DIRECTORY); assert(dir_index == 0 || is_directory(direntry)); + if (mapping == NULL) { + return -1; + } + +DLOG(fprintf(stderr, "commit_direntries for %s, parent_mapping_index %d\n", + mapping->path, parent_mapping_index)); + + current_dir_index = mapping->info.dir.first_dir_index; + first_dir_index = current_dir_index; mapping->info.dir.parent_mapping_index = parent_mapping_index; if (first_cluster == 0) { @@ -2494,6 +2496,9 @@ DLOG(fprintf(stderr, "commit_direntries for %s, parent_mapping_index %d\n", mapp direntry = array_get(&(s->directory), first_dir_index + i); if (is_directory(direntry) && !is_dot(direntry)) { mapping = find_mapping_for_cluster(s, first_cluster); + if (mapping == NULL) { + return -1; + } assert(mapping->mode & MODE_DIRECTORY); ret = commit_direntries(s, first_dir_index + i, array_index(&(s->mapping), mapping)); @@ -2522,6 +2527,10 @@ static int commit_one_file(BDRVVVFATState* s, assert(offset < size); assert((offset % s->cluster_size) == 0); + if (mapping == NULL) { + return -1; + } + for (i = s->cluster_size; i < offset; i += s->cluster_size) c = modified_fat_get(s, c); @@ -2668,8 +2677,12 @@ static int handle_renames_and_mkdirs(BDRVVVFATState* s) if (commit->action == ACTION_RENAME) { mapping_t* mapping = find_mapping_for_cluster(s, commit->param.rename.cluster); - char* old_path = mapping->path; + char *old_path; + if (mapping == NULL) { + return -1; + } + old_path = mapping->path; assert(commit->path); mapping->path = commit->path; if (rename(old_path, mapping->path)) @@ -2690,10 +2703,15 @@ static int handle_renames_and_mkdirs(BDRVVVFATState* s) direntry_t* d = direntry + i; if (is_file(d) || (is_directory(d) && !is_dot(d))) { + int l; + char *new_path; mapping_t* m = find_mapping_for_cluster(s, begin_of_direntry(d)); - int l = strlen(m->path); - char* new_path = g_malloc(l + diff + 1); + if (m == NULL) { + return -1; + } + l = strlen(m->path); + new_path = g_malloc(l + diff + 1); assert(!strncmp(m->path, mapping->path, l2)); From patchwork Mon Nov 5 21:38:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liam Merwick X-Patchwork-Id: 10669257 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E76361803 for ; Mon, 5 Nov 2018 21:43:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E16C429DF0 for ; Mon, 5 Nov 2018 21:43:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D568229E19; Mon, 5 Nov 2018 21:43:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 24C4329DF0 for ; Mon, 5 Nov 2018 21:43:00 +0000 (UTC) Received: from localhost ([::1]:37713 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJmeB-00036o-1x for patchwork-qemu-devel@patchwork.kernel.org; Mon, 05 Nov 2018 16:42:59 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36165) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gJmaL-0007ES-1q for qemu-devel@nongnu.org; Mon, 05 Nov 2018 16:39:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gJmaH-0003Ac-AS for qemu-devel@nongnu.org; Mon, 05 Nov 2018 16:39:00 -0500 Received: from userp2130.oracle.com ([156.151.31.86]:50430) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gJma2-0002ex-4o; Mon, 05 Nov 2018 16:38:42 -0500 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wA5LSwQT143526; Mon, 5 Nov 2018 21:38:32 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2018-07-02; bh=sR0kWLfw37B8VgfUxXHVoBebY67ofMAmCBAwqRUXJGM=; b=UG0wVZsDffaqvfHiRs29ydcR3mTm5DTifYnrx42g8uo9I7inwwoxRxvm+1YqoXQooShN si+WVzL+OkVRn9Q7AtvZCp5SGF4qIO3CR4xEex1pHinEPq4scxdSjJevXIc2iIcwgWba RXo7uJzGkJiTKsnFDDsRDIQgzQnuhr4pQOpqSTwCqV+r1sSDEfXmEmh7xWFiM9cSOvLG ZBEjsZinUGP4aY5iWxbhcpYSsmtq8dOuQo9xvmOXpTzu429Pv9Gj6jYQxz1arbIezloH KFDxkrDsbQGVo4YGnAbFAZfYun+X51IImQT+FQ3vpY+3kIFFd57hlLktnfr/PIX6VS+G /w== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2130.oracle.com with ESMTP id 2nh33tsr4k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Nov 2018 21:38:32 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wA5LcWOa024794 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 5 Nov 2018 21:38:32 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id wA5LcVYN000436; Mon, 5 Nov 2018 21:38:31 GMT Received: from ol7.uk.oracle.com (/10.175.201.67) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 05 Nov 2018 13:38:31 -0800 From: Liam Merwick To: qemu-devel@nongnu.org Date: Mon, 5 Nov 2018 21:38:39 +0000 Message-Id: <1541453919-25973-6-git-send-email-Liam.Merwick@oracle.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1541453919-25973-1-git-send-email-Liam.Merwick@oracle.com> References: <1541453919-25973-1-git-send-email-Liam.Merwick@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9068 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=838 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1811050190 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 156.151.31.86 Subject: [Qemu-devel] [PATCH v5 5/5] qcow2: Read outside array bounds in qcow2_pre_write_overlap_check() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, jsnow@redhat.com, qemu-block@nongnu.org, mreitz@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP The commit for 0e4e4318eaa5 increments QCOW2_OL_MAX_BITNR but does not add an array entry for QCOW2_OL_BITMAP_DIRECTORY_BITNR to metadata_ol_names[]. As a result, an array dereference of metadata_ol_names[8] in qcow2_pre_write_overlap_check() could result in a read outside of the array bounds. Fixes: 0e4e4318eaa5 ('qcow2: add overlap check for bitmap directory') Cc: Vladimir Sementsov-Ogievskiy Signed-off-by: Liam Merwick Reviewed-by: Eric Blake Reviewed-by: Max Reitz --- block/qcow2-refcount.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c index 3c539f02e5ec..46082aeac1d6 100644 --- a/block/qcow2-refcount.c +++ b/block/qcow2-refcount.c @@ -2719,15 +2719,17 @@ int qcow2_check_metadata_overlap(BlockDriverState *bs, int ign, int64_t offset, } static const char *metadata_ol_names[] = { - [QCOW2_OL_MAIN_HEADER_BITNR] = "qcow2_header", - [QCOW2_OL_ACTIVE_L1_BITNR] = "active L1 table", - [QCOW2_OL_ACTIVE_L2_BITNR] = "active L2 table", - [QCOW2_OL_REFCOUNT_TABLE_BITNR] = "refcount table", - [QCOW2_OL_REFCOUNT_BLOCK_BITNR] = "refcount block", - [QCOW2_OL_SNAPSHOT_TABLE_BITNR] = "snapshot table", - [QCOW2_OL_INACTIVE_L1_BITNR] = "inactive L1 table", - [QCOW2_OL_INACTIVE_L2_BITNR] = "inactive L2 table", + [QCOW2_OL_MAIN_HEADER_BITNR] = "qcow2_header", + [QCOW2_OL_ACTIVE_L1_BITNR] = "active L1 table", + [QCOW2_OL_ACTIVE_L2_BITNR] = "active L2 table", + [QCOW2_OL_REFCOUNT_TABLE_BITNR] = "refcount table", + [QCOW2_OL_REFCOUNT_BLOCK_BITNR] = "refcount block", + [QCOW2_OL_SNAPSHOT_TABLE_BITNR] = "snapshot table", + [QCOW2_OL_INACTIVE_L1_BITNR] = "inactive L1 table", + [QCOW2_OL_INACTIVE_L2_BITNR] = "inactive L2 table", + [QCOW2_OL_BITMAP_DIRECTORY_BITNR] = "bitmap directory", }; +QEMU_BUILD_BUG_ON(QCOW2_OL_MAX_BITNR != ARRAY_SIZE(metadata_ol_names)); /* * First performs a check for metadata overlaps (through