From nobody Mon Apr 6 19:40:30 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1773842542; cv=none; d=zohomail.com; s=zohoarc; b=bf+U2HzopkKcPFQo0kEOGwZEcJq87SgXB2RFKlGKxH3giSDad+yIJ2lnRvglBdVgitjisKSeUuhoeQjzIik3f8kmX4Ux/FAURJygGih/Sbpv7v5WGZOTxegilNWXfSnmmf2LgXRUKjjEIsOA3NTS23U74Kpow5K1ahqDRfqy8g8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773842542; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=AVj2vhh6Zz3swEJ+R1hAoymN5+uXePZyHA4A3uvpCck=; b=gRFWBn1qs5sg4ApRrcKWMcVXnPvTD4s7Y9XoaohrMK2i44QprZCKwxVXCrH9HqItu7rY8xjxqh49WfB2rw3pRQbCPW8nW2ELCgDwlGU0AwXkRG4qJ29bP1jqnAztUDL37Ae71QcgW1W1EkOSFEn7LXs/nPytbyZSG2TjP6bIDGU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1773842542535719.7836006822321; Wed, 18 Mar 2026 07:02:22 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w2rSz-0002rh-M5; Wed, 18 Mar 2026 10:01:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w2rSy-0002rK-Ce for qemu-devel@nongnu.org; Wed, 18 Mar 2026 10:01:44 -0400 Received: from mgamail.intel.com ([198.175.65.18]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w2rSw-0005oH-T7 for qemu-devel@nongnu.org; Wed, 18 Mar 2026 10:01:44 -0400 Received: from fmviesa006.fm.intel.com ([10.60.135.146]) by orvoesa110.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2026 07:01:42 -0700 Received: from junjieca-mobl.ccr.corp.intel.com ([10.124.242.111]) by fmviesa006-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2026 07:01:40 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1773842503; x=1805378503; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=90kUuCitCAIs4715mOIY03O2iNep11NxIP4ar18j9X4=; b=ZBOsFV5HgA8zm//AWWAN5/3fthjfvdOp6yNet530e00iFl+D0V92Uyp0 cosZMmB74NZ5L7Y3vFwNTe0fZqMD/QACeegsZ8hEzWy4+Zv8UliCZdKrT PGIndz/+9KF9rsmov9FxmbU8hyH76IeQfCmPiTnuCR1uwzP4BKChtC0li w/TWLhdv9IciX1xMvf230EWHAYmS/S12WS6r1fkg0dezsVbjYEX39NpMk oPdpD/PauXM+yRDJkEQZuSobAUWbUJT2buV6wPsrxRisJNZJfmpihov68 veTLdjY5//S2O5uG5oeYJkyFwe7ojF9DwxZZzmloIZgwoprhe1iR1Qfu4 A==; X-CSE-ConnectionGUID: GDJ0cuX7RK+f3K/i3vA3KA== X-CSE-MsgGUID: /3ewt5Q7TlqSuQVV9XSdGw== X-IronPort-AV: E=McAfee;i="6800,10657,11733"; a="74925792" X-IronPort-AV: E=Sophos;i="6.23,127,1770624000"; d="scan'208";a="74925792" X-CSE-ConnectionGUID: 30ehs/XVSkawEEgxCN7PdQ== X-CSE-MsgGUID: FytE+OzFTLipGayDVGS1UQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,127,1770624000"; d="scan'208";a="218205230" From: Junjie Cao To: qemu-devel@nongnu.org Cc: peterx@redhat.com, farosas@suse.de, berrange@redhat.com, junjie.cao@intel.com Subject: [PATCH v2 2/3] migration/file: fix type mismatch and NULL deref in multifd_file_recv_data Date: Wed, 18 Mar 2026 22:01:12 +0800 Message-ID: <20260318140113.434-3-junjie.cao@intel.com> X-Mailer: git-send-email 2.53.0.windows.2 In-Reply-To: <20260318140113.434-1-junjie.cao@intel.com> References: <20260318140113.434-1-junjie.cao@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=198.175.65.18; envelope-from=junjie.cao@intel.com; helo=mgamail.intel.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @intel.com) X-ZM-MESSAGEID: 1773842544744154100 Content-Type: text/plain; charset="utf-8" multifd_file_recv_data() stores the return value of qio_channel_pread() (ssize_t) in a size_t variable. On I/O error the -1 return value wraps to SIZE_MAX, producing a nonsensical read size in the error message. More critically, a short read (0 <=3D ret < data->size) is possible when the migration file is truncated. In that case qio_channel_pread() returns a non-negative value without setting *errp. The function then calls error_prepend(errp, ...) which dereferences *errp -- a NULL pointer -- crashing QEMU. Fix both issues by switching to qio_channel_pread_all() introduced in the previous commit, which retries on short reads and treats end-of-file as an error, so the caller no longer needs to check the byte count manually. Add ERRP_GUARD() so that error_prepend() works correctly even when errp is &error_fatal or NULL. Suggested-by: Peter Xu Signed-off-by: Junjie Cao Reviewed-by: Daniel P. Berrang=C3=A9 --- migration/file.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/migration/file.c b/migration/file.c index 5618aced49..b0d3affa4c 100644 --- a/migration/file.c +++ b/migration/file.c @@ -254,16 +254,15 @@ int file_write_ramblock_iov(QIOChannel *ioc, const st= ruct iovec *iov, =20 int multifd_file_recv_data(MultiFDRecvParams *p, Error **errp) { + ERRP_GUARD(); MultiFDRecvData *data =3D p->data; - size_t ret; - - ret =3D qio_channel_pread(p->c, (char *) data->opaque, - data->size, data->file_offset, errp); - if (ret !=3D data->size) { - error_prepend(errp, - "multifd recv (%u): read 0x%zx, expected 0x%zx", - p->id, ret, data->size); - return -1; + int ret; + + ret =3D qio_channel_pread_all(p->c, (char *) data->opaque, + data->size, data->file_offset, errp); + if (ret < 0) { + error_prepend(errp, "multifd recv (%u): ", p->id); + return ret; } =20 return 0; --=20 2.43.0