From nobody Sat Sep 27 13:04:11 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1546020048230761.9457739269827; Fri, 28 Dec 2018 10:00:48 -0800 (PST) Received: from localhost ([127.0.0.1]:60829 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gcwRC-00083W-Np for importer@patchew.org; Fri, 28 Dec 2018 13:00:46 -0500 Received: from eggs.gnu.org ([208.118.235.92]:40215) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gcwMf-0003Ng-Ga for qemu-devel@nongnu.org; Fri, 28 Dec 2018 12:56:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gcwLq-00056G-Fu for qemu-devel@nongnu.org; Fri, 28 Dec 2018 12:55:17 -0500 Received: from mx1.redhat.com ([209.132.183.28]:40982) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gcw2W-0001sM-I6 for qemu-devel@nongnu.org; Fri, 28 Dec 2018 12:35:16 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DFD1C81F13; Fri, 28 Dec 2018 17:35:15 +0000 (UTC) Received: from x1w.redhat.com (ovpn-204-58.brq.redhat.com [10.40.204.58]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0FDFA103BAB2; Fri, 28 Dec 2018 17:35:00 +0000 (UTC) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Date: Fri, 28 Dec 2018 18:33:56 +0100 Message-Id: <20181228173356.15359-6-philmd@redhat.com> In-Reply-To: <20181228173356.15359-1-philmd@redhat.com> References: <20181228173356.15359-1-philmd@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Fri, 28 Dec 2018 17:35:15 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH v4 5/5] migration: Use strnlen() for fixed-size string X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Juan Quintela , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , David Hildenbrand , "Dr. David Alan Gilbert" , Markus Armbruster , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , "Michael S. Tsirkin" , Igor Mammedov , Paolo Bonzini , David Gibson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" GCC 8 introduced the -Wstringop-overflow, which detect buffer overflow by string-modifying functions declared in , such strncpy(), used in global_state_store_running(). GCC indeed found an incorrect use of strlen(), because this array is loaded by VMSTATE_BUFFER(runstate, GlobalState) then parsed using qapi_enum_parse which does not get the buffer length. Use strnlen() which returns sizeof(s->runstate) if the array is not NUL-terminated, assert the size is within range, and enforce the array to be NUL-terminated to avoid an overflow in qapi_enum_parse(). This fixes: CC migration/global_state.o qemu/migration/global_state.c: In function 'global_state_pre_save': qemu/migration/global_state.c:109:15: error: 'strlen' argument 1 declared= attribute 'nonstring' [-Werror=3Dstringop-overflow=3D] s->size =3D strlen((char *)s->runstate) + 1; ^~~~~~~~~~~~~~~~~~~~~~~~~~~ qemu/migration/global_state.c:24:13: note: argument 'runstate' declared h= ere uint8_t runstate[100] QEMU_NONSTRING; ^~~~~~~~ cc1: all warnings being treated as errors make: *** [qemu/rules.mak:69: migration/global_state.o] Error 1 Suggested-by: Michael S. Tsirkin Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Dr. David Alan Gilbert Reviewed-by: Richard Henderson --- migration/global_state.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/migration/global_state.c b/migration/global_state.c index 01805c567a..4f060a6dbd 100644 --- a/migration/global_state.c +++ b/migration/global_state.c @@ -89,6 +89,16 @@ static int global_state_post_load(void *opaque, int vers= ion_id) s->received =3D true; trace_migrate_global_state_post_load(runstate); =20 + if (strnlen((char *)s->runstate, + sizeof(s->runstate)) =3D=3D sizeof(s->runstate)) { + /* This condition should never happen during migration, because + * all runstate names are shorter than 100 bytes (the size of + * s->runstate). However, a malicious stream could overflow + * the qapi_enum_parse() call, so we force the last character + * to a NUL byte. + */ + s->runstate[sizeof(s->runstate) - 1] =3D '\0'; + } r =3D qapi_enum_parse(&RunState_lookup, runstate, -1, &local_err); =20 if (r =3D=3D -1) { @@ -107,7 +117,8 @@ static int global_state_pre_save(void *opaque) GlobalState *s =3D opaque; =20 trace_migrate_global_state_pre_save((char *)s->runstate); - s->size =3D strlen((char *)s->runstate) + 1; + s->size =3D strnlen((char *)s->runstate, sizeof(s->runstate)) + 1; + assert(s->size <=3D sizeof(s->runstate)); =20 return 0; } --=20 2.17.2