gdbstub.c | 4 ++-- net/net.c | 2 ++ tests/qtest/ipmi-bt-test.c | 2 +- tests/tcg/multiarch/linux-test.c | 4 ++-- 4 files changed, 7 insertions(+), 5 deletions(-)
The POSIX spec for sockaddr_in says that implementations are allowed to have implementation-dependent extensions controlled by extra fields in the struct, and that the way to ensure these are not accidentally activated is to zero out the whole data structure. We have several places in our codebase where we don't zero-init sockaddr_in structs and so (at least in theory) might run into this. Coverity spotted the ones in the net code (CID 1005338); the others in this series I found by looking at all uses of sockaddr_in. (The gdbstub patch changes also a sockaddr_un use, for symmetry.) Thanks to Eric for the analysis of what the spec says and why Coverity is correct here. thanks -- PMM Peter Maydell (4): net: Zero sockaddr_in in parse_host_port() gdbstub: Zero-initialize sockaddr structs tests/qtest/ipmi-bt-test: Zero-initialize sockaddr struct tests/tcg/multiarch/linux-test: Zero-initialize sockaddr structs gdbstub.c | 4 ++-- net/net.c | 2 ++ tests/qtest/ipmi-bt-test.c | 2 +- tests/tcg/multiarch/linux-test.c | 4 ++-- 4 files changed, 7 insertions(+), 5 deletions(-) -- 2.20.1
On Fri, Aug 13, 2021 at 04:05:02PM +0100, Peter Maydell wrote: > The POSIX spec for sockaddr_in says that implementations are allowed > to have implementation-dependent extensions controlled by extra > fields in the struct, and that the way to ensure these are not > accidentally activated is to zero out the whole data structure. > We have several places in our codebase where we don't zero-init > sockaddr_in structs and so (at least in theory) might run into this. > Coverity spotted the ones in the net code (CID 1005338); the > others in this series I found by looking at all uses of sockaddr_in. > (The gdbstub patch changes also a sockaddr_un use, for symmetry.) > > Thanks to Eric for the analysis of what the spec says and why > Coverity is correct here. FWIW, the POSIX wording is interesting - it requires portable applications to zero out sockaddr_in6 (and even states that memset() is not yet a portable way to do that on exotic hardware, although a future version of POSIX may add a zero-bit constraint on implementations; in practice we only use qemu on hardware where memset() to zero properly sets pointers to NULL and floating points to 0.0). But for sockaddr_in, it merely recommends it, with an acknowledgment that much existing code fails to do so. Or put another way, POSIX gives carte blanche to implementations to add IPv6 extensions, but advises that IPv4 implementations should be wary of extensions that trigger off of uninitialized fields. Since you are fixing IPv4 usage, and not IPv6, I agree with your designation that this is 6.2 material, and not a regression fix to rush into 6.1 (should other patches warrant rc4) - we are unlikely to be running on an implementation where the uninitialized fields cause noticeable behavior changes to IPv4 behavior. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
On 8/13/21 8:30 PM, Eric Blake wrote:
> On Fri, Aug 13, 2021 at 04:05:02PM +0100, Peter Maydell wrote:
>> The POSIX spec for sockaddr_in says that implementations are allowed
>> to have implementation-dependent extensions controlled by extra
>> fields in the struct, and that the way to ensure these are not
>> accidentally activated is to zero out the whole data structure.
>> We have several places in our codebase where we don't zero-init
>> sockaddr_in structs and so (at least in theory) might run into this.
>> Coverity spotted the ones in the net code (CID 1005338); the
>> others in this series I found by looking at all uses of sockaddr_in.
>> (The gdbstub patch changes also a sockaddr_un use, for symmetry.)
>>
>> Thanks to Eric for the analysis of what the spec says and why
>> Coverity is correct here.
>
> FWIW, the POSIX wording is interesting - it requires portable
> applications to zero out sockaddr_in6 (and even states that memset()
> is not yet a portable way to do that on exotic hardware, although a
> future version of POSIX may add a zero-bit constraint on
> implementations; in practice we only use qemu on hardware where
> memset() to zero properly sets pointers to NULL and floating points to
> 0.0).
So this checkpatch.pl error (inherited from Linux) is against POSIX?
2028 # check for static initialisers.
2029 if ($line =~ /\bstatic\s.*=\s*(0|NULL|false)\s*;/) {
2030 ERROR("do not initialise statics to 0 or NULL\n" .
2031 $herecurr);
2032 }
[...]
On Sun, 15 Aug 2021 at 15:34, Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
>
> On 8/13/21 8:30 PM, Eric Blake wrote:
> > FWIW, the POSIX wording is interesting - it requires portable
> > applications to zero out sockaddr_in6 (and even states that memset()
> > is not yet a portable way to do that on exotic hardware, although a
> > future version of POSIX may add a zero-bit constraint on
> > implementations; in practice we only use qemu on hardware where
> > memset() to zero properly sets pointers to NULL and floating points to
> > 0.0).
>
> So this checkpatch.pl error (inherited from Linux) is against POSIX?
>
> 2028 # check for static initialisers.
> 2029 if ($line =~ /\bstatic\s.*=\s*(0|NULL|false)\s*;/) {
> 2030 ERROR("do not initialise statics to 0 or NULL\n" .
> 2031 $herecurr);
> 2032 }
That one is for statics, where the C spec says you get 0-init by
default and so there's no need to explicitly 0-init.
-- PMM
On 8/15/21 5:44 PM, Peter Maydell wrote:
> On Sun, 15 Aug 2021 at 15:34, Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
>>
>> On 8/13/21 8:30 PM, Eric Blake wrote:
>>> FWIW, the POSIX wording is interesting - it requires portable
>>> applications to zero out sockaddr_in6 (and even states that memset()
>>> is not yet a portable way to do that on exotic hardware, although a
>>> future version of POSIX may add a zero-bit constraint on
>>> implementations; in practice we only use qemu on hardware where
>>> memset() to zero properly sets pointers to NULL and floating points to
>>> 0.0).
>>
>> So this checkpatch.pl error (inherited from Linux) is against POSIX?
>>
>> 2028 # check for static initialisers.
>> 2029 if ($line =~ /\bstatic\s.*=\s*(0|NULL|false)\s*;/) {
>> 2030 ERROR("do not initialise statics to 0 or NULL\n" .
>> 2031 $herecurr);
>> 2032 }
>
> That one is for statics, where the C spec says you get 0-init by
> default and so there's no need to explicitly 0-init.
Ah OK, thanks :)
On Fri, 13 Aug 2021 at 16:05, Peter Maydell <peter.maydell@linaro.org> wrote: > > The POSIX spec for sockaddr_in says that implementations are allowed > to have implementation-dependent extensions controlled by extra > fields in the struct, and that the way to ensure these are not > accidentally activated is to zero out the whole data structure. > We have several places in our codebase where we don't zero-init > sockaddr_in structs and so (at least in theory) might run into this. > Coverity spotted the ones in the net code (CID 1005338); the > others in this series I found by looking at all uses of sockaddr_in. > (The gdbstub patch changes also a sockaddr_un use, for symmetry.) > > Thanks to Eric for the analysis of what the spec says and why > Coverity is correct here. > > thanks > -- PMM > > Peter Maydell (4): > net: Zero sockaddr_in in parse_host_port() > gdbstub: Zero-initialize sockaddr structs > tests/qtest/ipmi-bt-test: Zero-initialize sockaddr struct > tests/tcg/multiarch/linux-test: Zero-initialize sockaddr structs I'll take this series via target-arm.next unless anybody objects. thanks -- PMM
© 2016 - 2024 Red Hat, Inc.