From patchwork Tue Jan 23 14:47:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 125525 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp1802916ljf; Tue, 23 Jan 2018 06:54:09 -0800 (PST) X-Google-Smtp-Source: AH8x226xBTH+tWagBSyV+AOpTHB0EIItYBpXA88nx4yIzkeubxnAWo6Z+tO3ygs829c/lhOli0is X-Received: by 10.37.231.140 with SMTP id e134mr2650513ybh.329.1516719249763; Tue, 23 Jan 2018 06:54:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516719249; cv=none; d=google.com; s=arc-20160816; b=EDfoCix0SCodoqQskKPBKgFO3/083Ph+4eReUFasnhnC9BCO6aISZtM1BJdYkppnBT wzsBPoeXNiiOiCVzlS0fekVfRWc8RynGKRqxor9YfEYmEo2kHdjslgppe6MuOp1tJTA7 7G5WcMc7I3PhTQxFnasw0M6yU/CCBkLoFQYifpnlTcNWTgIk+/vAR8HndAYx4oJmq12d BCEzeNdXuGgAYod59qPXH+tVbZoyUgF09fXWVYS6cQwdPQRwf3bJ1cv6XiCJmg/XKtv2 ETvT7LUx2VI255y+UXh2Ue+nDaUPfJkFPR1DGKbDZcITLd1ann62a+M1isx4nehP/xRo O7LQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:to:from:arc-authentication-results; bh=QOZwx3X+7XWvpo1A1mvLhMncSSCzVaPysi+bYK3a7IE=; b=mAlmcho1H3aEJqC96xZj5slZ7RHnE6Lu+iOM95hoKIVOQGHS1/D9Qaho0igq4LlOaB KavGE3lqn+mZDIbjJILR6YPDcsAnYuaHDyug/n+rBpxh+WkA9X+UCwhgVoq1DM4lgrd3 E/bkbSKi8XlRkmf9PK7c0sxP40Sil1ouHPdTIRBfc8FeNip9pEPJSWrW9EymNqxVXj+u yJNA4HPzlGRlAioSTLBtGkB85Jqfs1fNslIOtpN4nHnVvgGfW3HSkknkS1vTTJlhze7r mcRFiln4ssxtMTaulzAc7HcRfrMyW6wm6a9/85djSluZ2JNVN8sdHcXipDWab3vxNED2 J0TQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id s84si4080611yws.800.2018.01.23.06.54.09 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 23 Jan 2018 06:54:09 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Received: from localhost ([::1]:33619 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzxh-0002Y5-3b for patch@linaro.org; Tue, 23 Jan 2018 09:54:09 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43413) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1edzs1-00075T-9q for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:21 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1edzrx-0002L4-GN for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:17 -0500 Received: from mout.kundenserver.de ([217.72.192.74]:53530) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1edzrx-0002J7-5P for qemu-devel@nongnu.org; Tue, 23 Jan 2018 09:48:13 -0500 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue102 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MK26P-1eccpC08ST-001Tjn; Tue, 23 Jan 2018 15:48:11 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Tue, 23 Jan 2018 15:47:57 +0100 Message-Id: <20180123144807.5618-4-laurent@vivier.eu> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180123144807.5618-1-laurent@vivier.eu> References: <20180123144807.5618-1-laurent@vivier.eu> X-Provags-ID: V03:K0:3F1/Ic4jxFHZZVXnDMoPYVFwpCGYk66ConPA/+uPXryjzoUeuMr 5Ekzj4QfeCuQweUEwC8IMEzrGPKYlI7EKMuqc70OFIsy+9MOI9jaiwygYJN2Jvl1lzGGoOE 7Ez5NOQkH6hykImKfkBmqidDJ00PmNDwhFG1t9pWGOnDedWXMMc0ISjgQfPMHWEAFIUPYKX 23Th3NXsmTzXi7607iQOg== X-UI-Out-Filterresults: notjunk:1; V01:K0:2RHHCqty9I0=:yPn85MOc9BaxVaA6us0w/B b1P2Ej8zqWzQ7VQbN95fj9knvENB5vzWM/DoRD/RfMyPlWL0UZ6z/hCgzKztOytr3HbEthfGY V4+fkt5FGmqFWaR49Pi1VolMMAGCH6rvP2NXSduLKwBxyyKIHrLhCwHk6vagR2bkFAoZkOJJQ PjdkA0fH1dvUmMC4LEQs5DLxFKcgwFWD5tGHjnLFIRpSdw6qhcbJNhnM6jAC1NIvpekNay6lm Q6keCVvl7kZC0MrbjsVgAmFFdrCLx6SJBh5dbB2+WKhZW1i8RJ2AZg7eW0sueSFCnCr35xpVG 3FY2TyjzzrZQSkETOG5iicuEebMzzBgpziiclhoUtDR2fIrQbXCW9ZwYJnFqRU/7OSfvNxE2e jS6FsuwTCzg50fwnAsMK8aySBHEcqdulp3xenAJO9M9zpc3HW4FG3vlEZnYGv8ZP+RPxR+JGi YZxl2fEnCBEK75omsaQmd1z2eUX5YY7REIXPj/Nt2jfq9F1+erP+uFgZollvDHHIo6sNvKYdq pvil36YBcobh0t/Ag19X7YbNXKDH0TSdPQeQQTMd38W4DCb/NQLduFaSWZHLhfb75RMCGC44g x3ZY1m4QGRfRri5Zxjc+9/XOhpcCtSNLQCGqCKpmknrDUvbJs4zvUjKshmgtzizOgP31FbdYS dE54mDKpR/24pKZbH3sd6mg/BRIjiFsUnIMl4Oa7Gzwh1Tgw3lk4ivmO2CtHeAxjSuOCzwWij ihGkqauL1HIDEjpGHaFEdPHPcrFevcucBGWgWQ== X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.72.192.74 Subject: [Qemu-devel] [PULL 03/13] linux-user: Fix length calculations in host_to_target_cmsg() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Laurent Vivier Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell The handling of length calculations in host_to_target_cmsg() was rather confused: * when checking for whether the target cmsg header fit in the remaining buffer, we were using the host struct size, not the target size * we were setting tgt_len to "target payload + header length" but then using it as if it were the target payload length alone * in various message type cases we weren't handling the possibility that host or target buffers were truncated Fix these problems. The second one in particular is liable to result in us overrunning the guest provided buffer, since we will try to convert more data than is actually present. Fixes: https://bugs.launchpad.net/qemu/+bug/1701808 Reported-by: Bruno Haible Signed-off-by: Peter Maydell Message-Id: <1513345976-22958-2-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/syscall.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) -- 2.14.3 diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 11c9116c4a..a1b9772a85 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -1782,7 +1782,7 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, * to the guest via the CTRUNC bit), unlike truncation * in target_to_host_cmsg, which is a QEMU bug. */ - if (msg_controllen < sizeof(struct cmsghdr)) { + if (msg_controllen < sizeof(struct target_cmsghdr)) { target_msgh->msg_flags |= tswap32(MSG_CTRUNC); break; } @@ -1794,8 +1794,6 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, } target_cmsg->cmsg_type = tswap32(cmsg->cmsg_type); - tgt_len = TARGET_CMSG_LEN(len); - /* Payload types which need a different size of payload on * the target must adjust tgt_len here. */ @@ -1809,12 +1807,13 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, break; } default: + tgt_len = len; break; } - if (msg_controllen < tgt_len) { + if (msg_controllen < TARGET_CMSG_LEN(tgt_len)) { target_msgh->msg_flags |= tswap32(MSG_CTRUNC); - tgt_len = msg_controllen; + tgt_len = msg_controllen - sizeof(struct target_cmsghdr); } /* We must now copy-and-convert len bytes of payload @@ -1875,6 +1874,10 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, uint32_t *v = (uint32_t *)data; uint32_t *t_int = (uint32_t *)target_data; + if (len != sizeof(uint32_t) || + tgt_len != sizeof(uint32_t)) { + goto unimplemented; + } __put_user(*v, t_int); break; } @@ -1888,6 +1891,10 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, struct errhdr_t *target_errh = (struct errhdr_t *)target_data; + if (len != sizeof(struct errhdr_t) || + tgt_len != sizeof(struct errhdr_t)) { + goto unimplemented; + } __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno); __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin); __put_user(errh->ee.ee_type, &target_errh->ee.ee_type); @@ -1911,6 +1918,10 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, uint32_t *v = (uint32_t *)data; uint32_t *t_int = (uint32_t *)target_data; + if (len != sizeof(uint32_t) || + tgt_len != sizeof(uint32_t)) { + goto unimplemented; + } __put_user(*v, t_int); break; } @@ -1924,6 +1935,10 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, struct errhdr6_t *target_errh = (struct errhdr6_t *)target_data; + if (len != sizeof(struct errhdr6_t) || + tgt_len != sizeof(struct errhdr6_t)) { + goto unimplemented; + } __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno); __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin); __put_user(errh->ee.ee_type, &target_errh->ee.ee_type); @@ -1950,8 +1965,8 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, } } - target_cmsg->cmsg_len = tswapal(tgt_len); - tgt_space = TARGET_CMSG_SPACE(len); + target_cmsg->cmsg_len = tswapal(TARGET_CMSG_LEN(tgt_len)); + tgt_space = TARGET_CMSG_SPACE(tgt_len); if (msg_controllen < tgt_space) { tgt_space = msg_controllen; }