This introduces two new helper metohds
int qemu_open(const char *name, int flags, Error **errp);
int qemu_create(const char *name, int flags, mode_t mode, Error **errp);
Note that with this design we no longer require or even accept the
O_CREAT flag. Avoiding overloading the two distinct operations
means we can avoid variable arguments which would prevent 'errp' from
being the last argument. It also gives us a guarantee that the 'mode' is
given when creating files, avoiding a latent security bug.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
include/qemu/osdep.h | 6 ++++
util/osdep.c | 78 ++++++++++++++++++++++++++++++++++++--------
2 files changed, 71 insertions(+), 13 deletions(-)
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index 3a16e58932..ca24ebe211 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -494,7 +494,13 @@ int qemu_madvise(void *addr, size_t len, int advice);
int qemu_mprotect_rwx(void *addr, size_t size);
int qemu_mprotect_none(void *addr, size_t size);
+/*
+ * Don't introduce new usage of this function, prefer the following
+ * qemu_open/qemu_create that take a "Error **errp"
+ */
int qemu_open_old(const char *name, int flags, ...);
+int qemu_open(const char *name, int flags, Error **errp);
+int qemu_create(const char *name, int flags, mode_t mode, Error **errp);
int qemu_close(int fd);
int qemu_unlink(const char *name);
#ifndef _WIN32
diff --git a/util/osdep.c b/util/osdep.c
index 9df1b6adec..5c0f4684b1 100644
--- a/util/osdep.c
+++ b/util/osdep.c
@@ -22,6 +22,7 @@
* THE SOFTWARE.
*/
#include "qemu/osdep.h"
+#include "qapi/error.h"
/* Needed early for CONFIG_BSD etc. */
@@ -282,10 +283,10 @@ int qemu_lock_fd_test(int fd, int64_t start, int64_t len, bool exclusive)
/*
* Opens a file with FD_CLOEXEC set
*/
-int qemu_open_old(const char *name, int flags, ...)
+static int
+qemu_open_internal(const char *name, int flags, mode_t mode, Error **errp)
{
int ret;
- int mode = 0;
#ifndef _WIN32
const char *fdset_id_str;
@@ -297,24 +298,31 @@ int qemu_open_old(const char *name, int flags, ...)
fdset_id = qemu_parse_fdset(fdset_id_str);
if (fdset_id == -1) {
+ error_setg(errp, "Could not parse fdset %s", name);
errno = EINVAL;
return -1;
}
fd = monitor_fdset_get_fd(fdset_id, flags);
if (fd < 0) {
+ error_setg_errno(errp, -fd, "Could not acquire FD for %s flags %x",
+ name, flags);
errno = -fd;
return -1;
}
dupfd = qemu_dup_flags(fd, flags);
if (dupfd == -1) {
+ error_setg_errno(errp, errno, "Could not dup FD for %s flags %x",
+ name, flags);
return -1;
}
ret = monitor_fdset_dup_fd_add(fdset_id, dupfd);
if (ret == -1) {
close(dupfd);
+ error_setg(errp, "Could not save FD for %s flags %x",
+ name, flags);
errno = EINVAL;
return -1;
}
@@ -323,22 +331,66 @@ int qemu_open_old(const char *name, int flags, ...)
}
#endif
- if (flags & O_CREAT) {
- va_list ap;
-
- va_start(ap, flags);
- mode = va_arg(ap, int);
- va_end(ap);
- }
-
#ifdef O_CLOEXEC
- ret = open(name, flags | O_CLOEXEC, mode);
-#else
+ flags |= O_CLOEXEC;
+#endif /* O_CLOEXEC */
+
ret = open(name, flags, mode);
+
+#ifndef O_CLOEXEC
if (ret >= 0) {
qemu_set_cloexec(ret);
}
-#endif
+#endif /* ! O_CLOEXEC */
+
+ if (ret == -1) {
+ const char *action = "open";
+ if (flags & O_CREAT) {
+ action = "create";
+ }
+ error_setg_errno(errp, errno, "Could not %s '%s' flags 0x%x",
+ action, name, flags);
+ }
+
+
+ return ret;
+}
+
+
+int qemu_open(const char *name, int flags, Error **errp)
+{
+ if (flags & O_CREAT) {
+ error_setg(errp,
+ "Invalid O_CREAT flag passed to qemu_open, use qemu_create");
+ return -1;
+ }
+ return qemu_open_internal(name, flags, 0, errp);
+}
+
+
+int qemu_create(const char *name, int flags, mode_t mode, Error **errp)
+{
+ if (flags & O_CREAT) {
+ error_setg(errp, "Redundant O_CREAT flag passed to qemu_create");
+ return -1;
+ }
+ return qemu_open_internal(name, flags | O_CREAT, mode, errp);
+}
+
+
+int qemu_open_old(const char *name, int flags, ...)
+{
+ va_list ap;
+ mode_t mode = 0;
+ int ret;
+
+ va_start(ap, flags);
+ if (flags & O_CREAT) {
+ mode = va_arg(ap, int);
+ }
+ va_end(ap);
+
+ ret = qemu_open_internal(name, flags, mode, NULL);
#ifdef O_DIRECT
if (ret == -1 && errno == EINVAL && (flags & O_DIRECT)) {
--
2.26.2
On 7/24/20 8:25 AM, Daniel P. Berrangé wrote: > This introduces two new helper metohds > > int qemu_open(const char *name, int flags, Error **errp); > int qemu_create(const char *name, int flags, mode_t mode, Error **errp); > > Note that with this design we no longer require or even accept the > O_CREAT flag. Avoiding overloading the two distinct operations > means we can avoid variable arguments which would prevent 'errp' from > being the last argument. It also gives us a guarantee that the 'mode' is > given when creating files, avoiding a latent security bug. I like it. > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > --- > include/qemu/osdep.h | 6 ++++ > util/osdep.c | 78 ++++++++++++++++++++++++++++++++++++-------- > 2 files changed, 71 insertions(+), 13 deletions(-) > > diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h > index 3a16e58932..ca24ebe211 100644 > --- a/include/qemu/osdep.h > +++ b/include/qemu/osdep.h > @@ -494,7 +494,13 @@ int qemu_madvise(void *addr, size_t len, int advice); > int qemu_mprotect_rwx(void *addr, size_t size); > int qemu_mprotect_none(void *addr, size_t size); > > +/* > + * Don't introduce new usage of this function, prefer the following > + * qemu_open/qemu_create that take a "Error **errp" s/a /an / Reviewed-by: Eric Blake <eblake@redhat.com> -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
On 7/24/20 3:25 PM, Daniel P. Berrangé wrote:
> This introduces two new helper metohds
>
> int qemu_open(const char *name, int flags, Error **errp);
> int qemu_create(const char *name, int flags, mode_t mode, Error **errp);
>
> Note that with this design we no longer require or even accept the
> O_CREAT flag. Avoiding overloading the two distinct operations
> means we can avoid variable arguments which would prevent 'errp' from
> being the last argument. It also gives us a guarantee that the 'mode' is
> given when creating files, avoiding a latent security bug.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> include/qemu/osdep.h | 6 ++++
> util/osdep.c | 78 ++++++++++++++++++++++++++++++++++++--------
> 2 files changed, 71 insertions(+), 13 deletions(-)
>
> diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
> index 3a16e58932..ca24ebe211 100644
> --- a/include/qemu/osdep.h
> +++ b/include/qemu/osdep.h
> @@ -494,7 +494,13 @@ int qemu_madvise(void *addr, size_t len, int advice);
> int qemu_mprotect_rwx(void *addr, size_t size);
> int qemu_mprotect_none(void *addr, size_t size);
>
> +/*
> + * Don't introduce new usage of this function, prefer the following
> + * qemu_open/qemu_create that take a "Error **errp"
> + */
> int qemu_open_old(const char *name, int flags, ...);
> +int qemu_open(const char *name, int flags, Error **errp);
> +int qemu_create(const char *name, int flags, mode_t mode, Error **errp);
> int qemu_close(int fd);
> int qemu_unlink(const char *name);
> #ifndef _WIN32
> diff --git a/util/osdep.c b/util/osdep.c
> index 9df1b6adec..5c0f4684b1 100644
> --- a/util/osdep.c
> +++ b/util/osdep.c
> @@ -22,6 +22,7 @@
> * THE SOFTWARE.
> */
> #include "qemu/osdep.h"
> +#include "qapi/error.h"
>
> /* Needed early for CONFIG_BSD etc. */
>
> @@ -282,10 +283,10 @@ int qemu_lock_fd_test(int fd, int64_t start, int64_t len, bool exclusive)
> /*
> * Opens a file with FD_CLOEXEC set
> */
> -int qemu_open_old(const char *name, int flags, ...)
> +static int
> +qemu_open_internal(const char *name, int flags, mode_t mode, Error **errp)
> {
> int ret;
> - int mode = 0;
>
> #ifndef _WIN32
> const char *fdset_id_str;
> @@ -297,24 +298,31 @@ int qemu_open_old(const char *name, int flags, ...)
>
> fdset_id = qemu_parse_fdset(fdset_id_str);
> if (fdset_id == -1) {
> + error_setg(errp, "Could not parse fdset %s", name);
> errno = EINVAL;
> return -1;
> }
>
> fd = monitor_fdset_get_fd(fdset_id, flags);
> if (fd < 0) {
> + error_setg_errno(errp, -fd, "Could not acquire FD for %s flags %x",
> + name, flags);
> errno = -fd;
> return -1;
> }
>
> dupfd = qemu_dup_flags(fd, flags);
> if (dupfd == -1) {
> + error_setg_errno(errp, errno, "Could not dup FD for %s flags %x",
> + name, flags);
> return -1;
> }
>
> ret = monitor_fdset_dup_fd_add(fdset_id, dupfd);
> if (ret == -1) {
> close(dupfd);
> + error_setg(errp, "Could not save FD for %s flags %x",
> + name, flags);
> errno = EINVAL;
> return -1;
> }
> @@ -323,22 +331,66 @@ int qemu_open_old(const char *name, int flags, ...)
> }
> #endif
>
> - if (flags & O_CREAT) {
> - va_list ap;
> -
> - va_start(ap, flags);
> - mode = va_arg(ap, int);
> - va_end(ap);
> - }
> -
> #ifdef O_CLOEXEC
> - ret = open(name, flags | O_CLOEXEC, mode);
> -#else
> + flags |= O_CLOEXEC;
> +#endif /* O_CLOEXEC */
> +
> ret = open(name, flags, mode);
> +
> +#ifndef O_CLOEXEC
> if (ret >= 0) {
> qemu_set_cloexec(ret);
> }
> -#endif
> +#endif /* ! O_CLOEXEC */
> +
> + if (ret == -1) {
> + const char *action = "open";
> + if (flags & O_CREAT) {
> + action = "create";
> + }
> + error_setg_errno(errp, errno, "Could not %s '%s' flags 0x%x",
> + action, name, flags);
> + }
> +
NL--
> +
> + return ret;
> +}
> +
> +
> +int qemu_open(const char *name, int flags, Error **errp)
> +{
> + if (flags & O_CREAT) {
> + error_setg(errp,
> + "Invalid O_CREAT flag passed to qemu_open, use qemu_create");
> + return -1;
> + }
> + return qemu_open_internal(name, flags, 0, errp);
> +}
> +
> +
> +int qemu_create(const char *name, int flags, mode_t mode, Error **errp)
> +{
> + if (flags & O_CREAT) {
> + error_setg(errp, "Redundant O_CREAT flag passed to qemu_create");
> + return -1;
> + }
> + return qemu_open_internal(name, flags | O_CREAT, mode, errp);
> +}
> +
> +
I'd rather see this patch split as:
- extract qemu_open_internal(const char *name, int flags, mode_t mode)
from qemu_open_old()
- Add Error **errp to qemu_open_internal()
- add qemu_open() and qemu_create()
Preferably split:
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> +int qemu_open_old(const char *name, int flags, ...)
> +{
> + va_list ap;
> + mode_t mode = 0;
> + int ret;
> +
> + va_start(ap, flags);
> + if (flags & O_CREAT) {
> + mode = va_arg(ap, int);
> + }
> + va_end(ap);
> +
> + ret = qemu_open_internal(name, flags, mode, NULL);
>
> #ifdef O_DIRECT
> if (ret == -1 && errno == EINVAL && (flags & O_DIRECT)) {
>
Daniel P. Berrangé <berrange@redhat.com> writes:
> This introduces two new helper metohds
Typo metohds.
Suggest to be a bit more explicit on why we want to replace qemu_open(),
perhaps like this:
qemu_open_old() works like open(): set errno and return -1 on failure.
It has even more failure modes, though. Reporting the error clearly
to users is basically impossible for many of them.
Our standard cure for "errno is too coarse" is the Error object.
Introduce two new helper methods:
>
> int qemu_open(const char *name, int flags, Error **errp);
> int qemu_create(const char *name, int flags, mode_t mode, Error **errp);
>
> Note that with this design we no longer require or even accept the
> O_CREAT flag. Avoiding overloading the two distinct operations
> means we can avoid variable arguments which would prevent 'errp' from
> being the last argument. It also gives us a guarantee that the 'mode' is
> given when creating files, avoiding a latent security bug.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> include/qemu/osdep.h | 6 ++++
> util/osdep.c | 78 ++++++++++++++++++++++++++++++++++++--------
> 2 files changed, 71 insertions(+), 13 deletions(-)
>
> diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
> index 3a16e58932..ca24ebe211 100644
> --- a/include/qemu/osdep.h
> +++ b/include/qemu/osdep.h
> @@ -494,7 +494,13 @@ int qemu_madvise(void *addr, size_t len, int advice);
> int qemu_mprotect_rwx(void *addr, size_t size);
> int qemu_mprotect_none(void *addr, size_t size);
>
> +/*
> + * Don't introduce new usage of this function, prefer the following
> + * qemu_open/qemu_create that take a "Error **errp"
> + */
> int qemu_open_old(const char *name, int flags, ...);
> +int qemu_open(const char *name, int flags, Error **errp);
> +int qemu_create(const char *name, int flags, mode_t mode, Error **errp);
> int qemu_close(int fd);
> int qemu_unlink(const char *name);
> #ifndef _WIN32
> diff --git a/util/osdep.c b/util/osdep.c
> index 9df1b6adec..5c0f4684b1 100644
> --- a/util/osdep.c
> +++ b/util/osdep.c
> @@ -22,6 +22,7 @@
> * THE SOFTWARE.
> */
> #include "qemu/osdep.h"
> +#include "qapi/error.h"
>
> /* Needed early for CONFIG_BSD etc. */
>
> @@ -282,10 +283,10 @@ int qemu_lock_fd_test(int fd, int64_t start, int64_t len, bool exclusive)
> /*
> * Opens a file with FD_CLOEXEC set
> */
> -int qemu_open_old(const char *name, int flags, ...)
> +static int
> +qemu_open_internal(const char *name, int flags, mode_t mode, Error **errp)
> {
> int ret;
> - int mode = 0;
>
> #ifndef _WIN32
> const char *fdset_id_str;
> @@ -297,24 +298,31 @@ int qemu_open_old(const char *name, int flags, ...)
>
> fdset_id = qemu_parse_fdset(fdset_id_str);
> if (fdset_id == -1) {
> + error_setg(errp, "Could not parse fdset %s", name);
> errno = EINVAL;
> return -1;
> }
>
> fd = monitor_fdset_get_fd(fdset_id, flags);
> if (fd < 0) {
> + error_setg_errno(errp, -fd, "Could not acquire FD for %s flags %x",
> + name, flags);
> errno = -fd;
> return -1;
> }
>
> dupfd = qemu_dup_flags(fd, flags);
> if (dupfd == -1) {
> + error_setg_errno(errp, errno, "Could not dup FD for %s flags %x",
> + name, flags);
> return -1;
> }
>
> ret = monitor_fdset_dup_fd_add(fdset_id, dupfd);
> if (ret == -1) {
> close(dupfd);
> + error_setg(errp, "Could not save FD for %s flags %x",
> + name, flags);
> errno = EINVAL;
> return -1;
> }
> @@ -323,22 +331,66 @@ int qemu_open_old(const char *name, int flags, ...)
> }
> #endif
>
> - if (flags & O_CREAT) {
> - va_list ap;
> -
> - va_start(ap, flags);
> - mode = va_arg(ap, int);
> - va_end(ap);
> - }
> -
> #ifdef O_CLOEXEC
> - ret = open(name, flags | O_CLOEXEC, mode);
> -#else
> + flags |= O_CLOEXEC;
> +#endif /* O_CLOEXEC */
> +
> ret = open(name, flags, mode);
> +
> +#ifndef O_CLOEXEC
> if (ret >= 0) {
> qemu_set_cloexec(ret);
> }
> -#endif
> +#endif /* ! O_CLOEXEC */
> +
> + if (ret == -1) {
> + const char *action = "open";
> + if (flags & O_CREAT) {
> + action = "create";
> + }
I'd prefer
const char *action = flags & O_CREAT ? "create" : "open";
Could even be inlined into the call. Matter of taste.
> + error_setg_errno(errp, errno, "Could not %s '%s' flags 0x%x",
> + action, name, flags);
> + }
> +
> +
> + return ret;
> +}
> +
> +
> +int qemu_open(const char *name, int flags, Error **errp)
> +{
> + if (flags & O_CREAT) {
> + error_setg(errp,
> + "Invalid O_CREAT flag passed to qemu_open, use qemu_create");
> + return -1;
> + }
Programming error, hence assert(!(flags & O_CREAT)).
> + return qemu_open_internal(name, flags, 0, errp);
> +}
> +
> +
> +int qemu_create(const char *name, int flags, mode_t mode, Error **errp)
> +{
> + if (flags & O_CREAT) {
> + error_setg(errp, "Redundant O_CREAT flag passed to qemu_create");
> + return -1;
> + }
Likewise.
> + return qemu_open_internal(name, flags | O_CREAT, mode, errp);
> +}
> +
> +
> +int qemu_open_old(const char *name, int flags, ...)
> +{
> + va_list ap;
> + mode_t mode = 0;
> + int ret;
> +
> + va_start(ap, flags);
> + if (flags & O_CREAT) {
> + mode = va_arg(ap, int);
> + }
> + va_end(ap);
> +
> + ret = qemu_open_internal(name, flags, mode, NULL);
>
> #ifdef O_DIRECT
> if (ret == -1 && errno == EINVAL && (flags & O_DIRECT)) {
Other than that, the patch looks good to me.
© 2016 - 2025 Red Hat, Inc.