From nobody Wed Feb 11 05:35:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 151671920300555.61993983642469; Tue, 23 Jan 2018 06:53:23 -0800 (PST) Received: from localhost ([::1]:33619 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzww-0002Y5-7v for importer@patchew.org; Tue, 23 Jan 2018 09:53:22 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43413) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzs1-00075T-9q for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:21 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1edzrx-0002L4-GN for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:17 -0500 Received: from mout.kundenserver.de ([217.72.192.74]:53530) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1edzrx-0002J7-5P for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:13 -0500 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue102 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MK26P-1eccpC08ST-001Tjn; Tue, 23 Jan 2018 15:48:11 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Tue, 23 Jan 2018 15:47:57 +0100 Message-Id: <20180123144807.5618-4-laurent@vivier.eu> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180123144807.5618-1-laurent@vivier.eu> References: <20180123144807.5618-1-laurent@vivier.eu> X-Provags-ID: V03:K0:3F1/Ic4jxFHZZVXnDMoPYVFwpCGYk66ConPA/+uPXryjzoUeuMr 5Ekzj4QfeCuQweUEwC8IMEzrGPKYlI7EKMuqc70OFIsy+9MOI9jaiwygYJN2Jvl1lzGGoOE 7Ez5NOQkH6hykImKfkBmqidDJ00PmNDwhFG1t9pWGOnDedWXMMc0ISjgQfPMHWEAFIUPYKX 23Th3NXsmTzXi7607iQOg== X-UI-Out-Filterresults: notjunk:1;V01:K0:2RHHCqty9I0=:yPn85MOc9BaxVaA6us0w/B b1P2Ej8zqWzQ7VQbN95fj9knvENB5vzWM/DoRD/RfMyPlWL0UZ6z/hCgzKztOytr3HbEthfGY V4+fkt5FGmqFWaR49Pi1VolMMAGCH6rvP2NXSduLKwBxyyKIHrLhCwHk6vagR2bkFAoZkOJJQ PjdkA0fH1dvUmMC4LEQs5DLxFKcgwFWD5tGHjnLFIRpSdw6qhcbJNhnM6jAC1NIvpekNay6lm Q6keCVvl7kZC0MrbjsVgAmFFdrCLx6SJBh5dbB2+WKhZW1i8RJ2AZg7eW0sueSFCnCr35xpVG 3FY2TyjzzrZQSkETOG5iicuEebMzzBgpziiclhoUtDR2fIrQbXCW9ZwYJnFqRU/7OSfvNxE2e jS6FsuwTCzg50fwnAsMK8aySBHEcqdulp3xenAJO9M9zpc3HW4FG3vlEZnYGv8ZP+RPxR+JGi YZxl2fEnCBEK75omsaQmd1z2eUX5YY7REIXPj/Nt2jfq9F1+erP+uFgZollvDHHIo6sNvKYdq pvil36YBcobh0t/Ag19X7YbNXKDH0TSdPQeQQTMd38W4DCb/NQLduFaSWZHLhfb75RMCGC44g x3ZY1m4QGRfRri5Zxjc+9/XOhpcCtSNLQCGqCKpmknrDUvbJs4zvUjKshmgtzizOgP31FbdYS dE54mDKpR/24pKZbH3sd6mg/BRIjiFsUnIMl4Oa7Gzwh1Tgw3lk4ivmO2CtHeAxjSuOCzwWij ihGkqauL1HIDEjpGHaFEdPHPcrFevcucBGWgWQ== X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.72.192.74 Subject: [Qemu-devel] [PULL 03/13] linux-user: Fix length calculations in host_to_target_cmsg() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Laurent Vivier Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Peter Maydell The handling of length calculations in host_to_target_cmsg() was rather confused: * when checking for whether the target cmsg header fit in the remaining buffer, we were using the host struct size, not the target size * we were setting tgt_len to "target payload + header length" but then using it as if it were the target payload length alone * in various message type cases we weren't handling the possibility that host or target buffers were truncated Fix these problems. The second one in particular is liable to result in us overrunning the guest provided buffer, since we will try to convert more data than is actually present. Fixes: https://bugs.launchpad.net/qemu/+bug/1701808 Reported-by: Bruno Haible Signed-off-by: Peter Maydell Message-Id: <1513345976-22958-2-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/syscall.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 11c9116c4a..a1b9772a85 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -1782,7 +1782,7 @@ static inline abi_long host_to_target_cmsg(struct tar= get_msghdr *target_msgh, * to the guest via the CTRUNC bit), unlike truncation * in target_to_host_cmsg, which is a QEMU bug. */ - if (msg_controllen < sizeof(struct cmsghdr)) { + if (msg_controllen < sizeof(struct target_cmsghdr)) { target_msgh->msg_flags |=3D tswap32(MSG_CTRUNC); break; } @@ -1794,8 +1794,6 @@ static inline abi_long host_to_target_cmsg(struct tar= get_msghdr *target_msgh, } target_cmsg->cmsg_type =3D tswap32(cmsg->cmsg_type); =20 - tgt_len =3D TARGET_CMSG_LEN(len); - /* Payload types which need a different size of payload on * the target must adjust tgt_len here. */ @@ -1809,12 +1807,13 @@ static inline abi_long host_to_target_cmsg(struct t= arget_msghdr *target_msgh, break; } default: + tgt_len =3D len; break; } =20 - if (msg_controllen < tgt_len) { + if (msg_controllen < TARGET_CMSG_LEN(tgt_len)) { target_msgh->msg_flags |=3D tswap32(MSG_CTRUNC); - tgt_len =3D msg_controllen; + tgt_len =3D msg_controllen - sizeof(struct target_cmsghdr); } =20 /* We must now copy-and-convert len bytes of payload @@ -1875,6 +1874,10 @@ static inline abi_long host_to_target_cmsg(struct ta= rget_msghdr *target_msgh, uint32_t *v =3D (uint32_t *)data; uint32_t *t_int =3D (uint32_t *)target_data; =20 + if (len !=3D sizeof(uint32_t) || + tgt_len !=3D sizeof(uint32_t)) { + goto unimplemented; + } __put_user(*v, t_int); break; } @@ -1888,6 +1891,10 @@ static inline abi_long host_to_target_cmsg(struct ta= rget_msghdr *target_msgh, struct errhdr_t *target_errh =3D (struct errhdr_t *)target_data; =20 + if (len !=3D sizeof(struct errhdr_t) || + tgt_len !=3D sizeof(struct errhdr_t)) { + goto unimplemented; + } __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno); __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin); __put_user(errh->ee.ee_type, &target_errh->ee.ee_type); @@ -1911,6 +1918,10 @@ static inline abi_long host_to_target_cmsg(struct ta= rget_msghdr *target_msgh, uint32_t *v =3D (uint32_t *)data; uint32_t *t_int =3D (uint32_t *)target_data; =20 + if (len !=3D sizeof(uint32_t) || + tgt_len !=3D sizeof(uint32_t)) { + goto unimplemented; + } __put_user(*v, t_int); break; } @@ -1924,6 +1935,10 @@ static inline abi_long host_to_target_cmsg(struct ta= rget_msghdr *target_msgh, struct errhdr6_t *target_errh =3D (struct errhdr6_t *)target_data; =20 + if (len !=3D sizeof(struct errhdr6_t) || + tgt_len !=3D sizeof(struct errhdr6_t)) { + goto unimplemented; + } __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno); __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin); __put_user(errh->ee.ee_type, &target_errh->ee.ee_type); @@ -1950,8 +1965,8 @@ static inline abi_long host_to_target_cmsg(struct tar= get_msghdr *target_msgh, } } =20 - target_cmsg->cmsg_len =3D tswapal(tgt_len); - tgt_space =3D TARGET_CMSG_SPACE(len); + target_cmsg->cmsg_len =3D tswapal(TARGET_CMSG_LEN(tgt_len)); + tgt_space =3D TARGET_CMSG_SPACE(tgt_len); if (msg_controllen < tgt_space) { tgt_space =3D msg_controllen; } --=20 2.14.3