From nobody Tue Apr 7 04:20:29 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1773650847; cv=none; d=zohomail.com; s=zohoarc; b=W1Sm0hYk7nDZ9pfWSXo8Ncmko7ziLjZGzZSYHJAzcf7wMOnJeAnvYFpsk4JXBJDfUEr69zXwFUxqrIStIqpWHvHgt1hmly1ZsFph6zGXln/8dXgX94TENzglLxYQpHLeD68khvIdpYGVneTiSFxYyCmBgvlrr9Sl03QyttsPCPY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773650847; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=IRArW63Qc86Xlb1L683XgaB9E8rVYrOCexLbmJxlFQA=; b=Nt1JyXY0odfzP/eYvfps3wVeqjGfhzkI2e/u7B1Hen4lp36JYiLg4B70psAUtloRKNNYzUc8+EL2tBHBFEIoCaz9X0LRxZpReWR1I+fiS/JENGlgmiX7/f4fEN/B+CC2fHrEVTnr+yGPjd0uMuEt281CPhejhTcE21VL6QCdLL4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1773650847191988.5963318107368; Mon, 16 Mar 2026 01:47:27 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w23b8-0007jt-4f; Mon, 16 Mar 2026 04:46:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w23b5-0007jk-Uw for qemu-devel@nongnu.org; Mon, 16 Mar 2026 04:46:47 -0400 Received: from mgamail.intel.com ([198.175.65.17]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w23aw-0003R5-S6 for qemu-devel@nongnu.org; Mon, 16 Mar 2026 04:46:47 -0400 Received: from orviesa002.jf.intel.com ([10.64.159.142]) by orvoesa109.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Mar 2026 01:46:32 -0700 Received: from junjieca-mobl.ccr.corp.intel.com ([10.124.242.111]) by orviesa002-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Mar 2026 01:46:30 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1773650799; x=1805186799; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=dtFnDZoak+gWqOvvm18INxB8nDqcCSBBe/kQuZPrV2I=; b=RhKGrn1LQdUNj/UqnoIP1jCH7mkhn9Coc5sSIjFzRJkQo2nFmjLikGtR 3p03QXS6YVWSUmJ6A8ceRAVslGsJNvR/4Ea6RzT4ydkzGoxy3dumoJJ8i Klr/WcSdBwXNPnnh3nnBvvsQA+iLY6HP1jcmoSsI4YTXwa/bDIRuEBJVd sQ/wQ7IGG99iDN1v5BgIGOGC9qRP96LinnbQv9nf9cmO/3yY/h5bNzfpb d6O4bdBTlcmXcJP2HdT+l+KMV267DTxvznUgxikHER3RgV96u8GWNBJTs HD4i2YbB0N1PffWl4VR/kKxE01praMRK8MzCmu8unifE1Kfv2tnRET15f w==; X-CSE-ConnectionGUID: WneSnzSXRhaNMPM8NMDD1Q== X-CSE-MsgGUID: /JSX8PXqQGmneSCCtNBqKQ== X-IronPort-AV: E=McAfee;i="6800,10657,11730"; a="74634360" X-IronPort-AV: E=Sophos;i="6.23,123,1770624000"; d="scan'208";a="74634360" X-CSE-ConnectionGUID: O++ba2MXQRCb3jSB3tU5FA== X-CSE-MsgGUID: 1iHkKGeOS6+RiX6fyD69wA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,123,1770624000"; d="scan'208";a="252363919" From: Junjie Cao To: qemu-devel@nongnu.org, peterx@redhat.com, farosas@suse.de Cc: junjie.cao@intel.com Subject: [PATCH] migration/file: fix type mismatch and NULL deref in multifd_file_recv_data Date: Mon, 16 Mar 2026 16:46:18 +0800 Message-ID: <20260316084618.52-1-junjie.cao@intel.com> X-Mailer: git-send-email 2.53.0.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=198.175.65.17; envelope-from=junjie.cao@intel.com; helo=mgamail.intel.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @intel.com) X-ZM-MESSAGEID: 1773650852026154100 Content-Type: text/plain; charset="utf-8" multifd_file_recv_data() stores the return value of qio_channel_pread() (ssize_t) in a size_t variable. On I/O error the -1 return value wraps to SIZE_MAX, producing a nonsensical read size in the error message. More critically, a short read (0 <=3D ret < data->size) is possible when the migration file is truncated. In that case qio_channel_pread() returns a non-negative value without setting *errp. The function then calls error_prepend(errp, ...) which dereferences *errp -- a NULL pointer -- crashing QEMU. Fix both issues by changing ret to ssize_t and splitting the error handling: use error_prepend() only when qio_channel_pread() itself has populated *errp (ret < 0), and error_setg() for the short-read case where *errp has not been set. Add ERRP_GUARD() so that error_prepend() works correctly even when errp is &error_fatal or NULL. Signed-off-by: Junjie Cao --- migration/file.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/migration/file.c b/migration/file.c index 5618aced49..78b274dc32 100644 --- a/migration/file.c +++ b/migration/file.c @@ -254,15 +254,21 @@ int file_write_ramblock_iov(QIOChannel *ioc, const st= ruct iovec *iov, =20 int multifd_file_recv_data(MultiFDRecvParams *p, Error **errp) { + ERRP_GUARD(); MultiFDRecvData *data =3D p->data; - size_t ret; + ssize_t ret; =20 ret =3D qio_channel_pread(p->c, (char *) data->opaque, data->size, data->file_offset, errp); + if (ret < 0) { + error_prepend(errp, "multifd recv (%u): ", p->id); + return -1; + } + if (ret !=3D data->size) { - error_prepend(errp, - "multifd recv (%u): read 0x%zx, expected 0x%zx", - p->id, ret, data->size); + error_setg(errp, + "multifd recv (%u): read 0x%zx, expected 0x%zx", + p->id, (size_t)ret, data->size); return -1; } =20 --=20 2.43.0