From nobody Thu Mar 28 22:48:50 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1513346144198567.3472268382003; Fri, 15 Dec 2017 05:55:44 -0800 (PST) Received: from localhost ([::1]:46728 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ePqSZ-00033N-6w for importer@patchew.org; Fri, 15 Dec 2017 08:55:31 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48923) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ePqQI-0001b6-0O for qemu-devel@nongnu.org; Fri, 15 Dec 2017 08:53:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ePqQG-0002SH-OQ for qemu-devel@nongnu.org; Fri, 15 Dec 2017 08:53:10 -0500 Received: from orth.archaic.org.uk ([2001:8b0:1d0::2]:39184) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ePqQG-0002MG-H8 for qemu-devel@nongnu.org; Fri, 15 Dec 2017 08:53:08 -0500 Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1ePqQ5-000226-VT; Fri, 15 Dec 2017 13:52:57 +0000 From: Peter Maydell To: qemu-devel@nongnu.org Date: Fri, 15 Dec 2017 13:52:55 +0000 Message-Id: <1513345976-22958-2-git-send-email-peter.maydell@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1513345976-22958-1-git-send-email-peter.maydell@linaro.org> References: <1513345976-22958-1-git-send-email-peter.maydell@linaro.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:8b0:1d0::2 Subject: [Qemu-devel] [PATCH 1/2] linux-user: Fix length calculations in host_to_target_cmsg() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Riku Voipio , Bruno Haible , Laurent Vivier , patches@linaro.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The handling of length calculations in host_to_target_cmsg() was rather confused: * when checking for whether the target cmsg header fit in the remaining buffer, we were using the host struct size, not the target size * we were setting tgt_len to "target payload + header length" but then using it as if it were the target payload length alone * in various message type cases we weren't handling the possibility that host or target buffers were truncated Fix these problems. The second one in particular is liable to result in us overrunning the guest provided buffer, since we will try to convert more data than is actually present. Fixes: https://bugs.launchpad.net/qemu/+bug/1701808 Reported-by: Bruno Haible Signed-off-by: Peter Maydell --- linux-user/syscall.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 11c9116..a1b9772 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -1782,7 +1782,7 @@ static inline abi_long host_to_target_cmsg(struct tar= get_msghdr *target_msgh, * to the guest via the CTRUNC bit), unlike truncation * in target_to_host_cmsg, which is a QEMU bug. */ - if (msg_controllen < sizeof(struct cmsghdr)) { + if (msg_controllen < sizeof(struct target_cmsghdr)) { target_msgh->msg_flags |=3D tswap32(MSG_CTRUNC); break; } @@ -1794,8 +1794,6 @@ static inline abi_long host_to_target_cmsg(struct tar= get_msghdr *target_msgh, } target_cmsg->cmsg_type =3D tswap32(cmsg->cmsg_type); =20 - tgt_len =3D TARGET_CMSG_LEN(len); - /* Payload types which need a different size of payload on * the target must adjust tgt_len here. */ @@ -1809,12 +1807,13 @@ static inline abi_long host_to_target_cmsg(struct t= arget_msghdr *target_msgh, break; } default: + tgt_len =3D len; break; } =20 - if (msg_controllen < tgt_len) { + if (msg_controllen < TARGET_CMSG_LEN(tgt_len)) { target_msgh->msg_flags |=3D tswap32(MSG_CTRUNC); - tgt_len =3D msg_controllen; + tgt_len =3D msg_controllen - sizeof(struct target_cmsghdr); } =20 /* We must now copy-and-convert len bytes of payload @@ -1875,6 +1874,10 @@ static inline abi_long host_to_target_cmsg(struct ta= rget_msghdr *target_msgh, uint32_t *v =3D (uint32_t *)data; uint32_t *t_int =3D (uint32_t *)target_data; =20 + if (len !=3D sizeof(uint32_t) || + tgt_len !=3D sizeof(uint32_t)) { + goto unimplemented; + } __put_user(*v, t_int); break; } @@ -1888,6 +1891,10 @@ static inline abi_long host_to_target_cmsg(struct ta= rget_msghdr *target_msgh, struct errhdr_t *target_errh =3D (struct errhdr_t *)target_data; =20 + if (len !=3D sizeof(struct errhdr_t) || + tgt_len !=3D sizeof(struct errhdr_t)) { + goto unimplemented; + } __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno); __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin); __put_user(errh->ee.ee_type, &target_errh->ee.ee_type); @@ -1911,6 +1918,10 @@ static inline abi_long host_to_target_cmsg(struct ta= rget_msghdr *target_msgh, uint32_t *v =3D (uint32_t *)data; uint32_t *t_int =3D (uint32_t *)target_data; =20 + if (len !=3D sizeof(uint32_t) || + tgt_len !=3D sizeof(uint32_t)) { + goto unimplemented; + } __put_user(*v, t_int); break; } @@ -1924,6 +1935,10 @@ static inline abi_long host_to_target_cmsg(struct ta= rget_msghdr *target_msgh, struct errhdr6_t *target_errh =3D (struct errhdr6_t *)target_data; =20 + if (len !=3D sizeof(struct errhdr6_t) || + tgt_len !=3D sizeof(struct errhdr6_t)) { + goto unimplemented; + } __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno); __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin); __put_user(errh->ee.ee_type, &target_errh->ee.ee_type); @@ -1950,8 +1965,8 @@ static inline abi_long host_to_target_cmsg(struct tar= get_msghdr *target_msgh, } } =20 - target_cmsg->cmsg_len =3D tswapal(tgt_len); - tgt_space =3D TARGET_CMSG_SPACE(len); + target_cmsg->cmsg_len =3D tswapal(TARGET_CMSG_LEN(tgt_len)); + tgt_space =3D TARGET_CMSG_SPACE(tgt_len); if (msg_controllen < tgt_space) { tgt_space =3D msg_controllen; } --=20 2.7.4 From nobody Thu Mar 28 22:48:50 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1513346198039635.6774963961224; Fri, 15 Dec 2017 05:56:38 -0800 (PST) Received: from localhost ([::1]:46735 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ePqTR-0003tN-4y for importer@patchew.org; Fri, 15 Dec 2017 08:56:25 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48912) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ePqQG-0001aC-NC for qemu-devel@nongnu.org; Fri, 15 Dec 2017 08:53:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ePqQF-0002Rg-P5 for qemu-devel@nongnu.org; Fri, 15 Dec 2017 08:53:08 -0500 Received: from orth.archaic.org.uk ([2001:8b0:1d0::2]:39184) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ePqQF-0002MG-HU for qemu-devel@nongnu.org; Fri, 15 Dec 2017 08:53:07 -0500 Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1ePqQ6-00022J-Lp; Fri, 15 Dec 2017 13:52:58 +0000 From: Peter Maydell To: qemu-devel@nongnu.org Date: Fri, 15 Dec 2017 13:52:56 +0000 Message-Id: <1513345976-22958-3-git-send-email-peter.maydell@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1513345976-22958-1-git-send-email-peter.maydell@linaro.org> References: <1513345976-22958-1-git-send-email-peter.maydell@linaro.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:8b0:1d0::2 Subject: [Qemu-devel] [PATCH 2/2] linux-user: Don't use CMSG_ALIGN(sizeof struct cmsghdr) X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Riku Voipio , Bruno Haible , Laurent Vivier , patches@linaro.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The Linux struct cmsghdr is already guaranteed to be sufficiently aligned that CMSG_ALIGN(sizeof struct cmsghdr) is always equal to sizeof struct cmsghdr. Stop doing the unnecessary alignment arithmetic for host and target cmsghdr. This follows kernel commit 1ff8cebf49ed9e9ca2 and brings our TARGET_CMSG_* macros back into line with the kernel ones, as well as making them easier to understand. Signed-off-by: Peter Maydell Reviewed-by: Laurent Vivier --- linux-user/syscall_defs.h | 6 +++--- linux-user/syscall.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h index bec3680..a35c52a 100644 --- a/linux-user/syscall_defs.h +++ b/linux-user/syscall_defs.h @@ -303,9 +303,9 @@ struct target_cmsghdr { __target_cmsg_nxthdr(mhdr, cmsg, cmsg_start) #define TARGET_CMSG_ALIGN(len) (((len) + sizeof (abi_long) - 1) \ & (size_t) ~(sizeof (abi_long) - 1)) -#define TARGET_CMSG_SPACE(len) (TARGET_CMSG_ALIGN (len) \ - + TARGET_CMSG_ALIGN (sizeof (struct target_= cmsghdr))) -#define TARGET_CMSG_LEN(len) (TARGET_CMSG_ALIGN (sizeof (struct target_c= msghdr)) + (len)) +#define TARGET_CMSG_SPACE(len) (sizeof(struct target_cmsghdr) + \ + TARGET_CMSG_ALIGN(len)) +#define TARGET_CMSG_LEN(len) (sizeof(struct target_cmsghdr) + (len)) =20 static __inline__ struct target_cmsghdr * __target_cmsg_nxthdr(struct target_msghdr *__mhdr, diff --git a/linux-user/syscall.c b/linux-user/syscall.c index a1b9772..39553c8 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -1692,7 +1692,7 @@ static inline abi_long target_to_host_cmsg(struct msg= hdr *msgh, void *target_data =3D TARGET_CMSG_DATA(target_cmsg); =20 int len =3D tswapal(target_cmsg->cmsg_len) - - TARGET_CMSG_ALIGN(sizeof (struct target_cmsghdr)); + - sizeof(struct target_cmsghdr); =20 space +=3D CMSG_SPACE(len); if (space > msgh->msg_controllen) { @@ -1773,7 +1773,7 @@ static inline abi_long host_to_target_cmsg(struct tar= get_msghdr *target_msgh, void *data =3D CMSG_DATA(cmsg); void *target_data =3D TARGET_CMSG_DATA(target_cmsg); =20 - int len =3D cmsg->cmsg_len - CMSG_ALIGN(sizeof (struct cmsghdr)); + int len =3D cmsg->cmsg_len - sizeof(struct cmsghdr); int tgt_len, tgt_space; =20 /* We never copy a half-header but may copy half-data; --=20 2.7.4