[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] b8c351: qemu-bridge-helper: Fix misuse of iss
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] b8c351: qemu-bridge-helper: Fix misuse of isspace() |
|
Date: |
Thu, 23 May 2019 04:00:19 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: b8c3511d086c65fa4bc2ca7a128bb3a56ac95306
https://github.com/qemu/qemu/commit/b8c3511d086c65fa4bc2ca7a128bb3a56ac95306
Author: Markus Armbruster <address@hidden>
Date: 2019-05-22 (Wed, 22 May 2019)
Changed paths:
M qemu-bridge-helper.c
Log Message:
-----------
qemu-bridge-helper: Fix misuse of isspace()
parse_acl_file() passes char values to isspace(). Undefined behavior
when the value is negative. Not a security issue, because the
characters come from trusted $prefix/etc/qemu/bridge.conf and the
files it includes.
Furthermore, isspace()'s locale-dependence means qemu-bridge-helper
uses the user's locale for parsing $prefix/etc/bridge.conf. Feels
wrong.
Use g_ascii_isspace() instead. This fixes the undefined behavior, and
makes parsing of $prefix/etc/bridge.conf locale-independent.
Signed-off-by: Markus Armbruster <address@hidden>
Message-Id: <address@hidden>
Commit: d18dc3af478664b1d5e0dd3ace1eabb9d160f244
https://github.com/qemu/qemu/commit/d18dc3af478664b1d5e0dd3ace1eabb9d160f244
Author: Markus Armbruster <address@hidden>
Date: 2019-05-22 (Wed, 22 May 2019)
Changed paths:
M tests/vhost-user-bridge.c
Log Message:
-----------
tests/vhost-user-bridge: Fix misuse of isdigit()
vubr_set_host() passes char values to isdigit(). Undefined behavior
when the value is negative.
Fix by using qemu_isdigit() instead.
Signed-off-by: Markus Armbruster <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
[Missing #include "qemu-common.h" fixed]
Commit: 046aba169bc21c08823cfbe8d4f3b4ad116ac676
https://github.com/qemu/qemu/commit/046aba169bc21c08823cfbe8d4f3b4ad116ac676
Author: Markus Armbruster <address@hidden>
Date: 2019-05-22 (Wed, 22 May 2019)
Changed paths:
M gdbstub.c
Log Message:
-----------
gdbstub: Reject invalid RLE repeat counts
"Debugging with GDB / Appendix E GDB Remote Serial Protocol /
Overview" specifies "The printable characters '#' and '$' or with a
numeric value greater than 126 must not be used." gdb_read_byte()
only rejects values < 32. This is wrong. Impact depends on the caller:
* gdb_handlesig() passes a char. Incorrectly accepts '#', '$' and
'\127'.
* gdb_chr_receive() passes an uint8_t. Additionally accepts
characters with the most-significant bit set.
Correct the validity check to match the specification.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Message-Id: <address@hidden>
Commit: 33c846efa22d62ea6489371789fc9fbd11b3cd3c
https://github.com/qemu/qemu/commit/33c846efa22d62ea6489371789fc9fbd11b3cd3c
Author: Markus Armbruster <address@hidden>
Date: 2019-05-22 (Wed, 22 May 2019)
Changed paths:
M gdbstub.c
Log Message:
-----------
gdbstub: Fix misuse of isxdigit()
gdb_read_byte() passes its @ch argument to isxdigit(). Undefined
behavior when the value is negative. Two callers:
* gdb_chr_receive() passes an uint8_t value. Safe.
* gdb_handlesig() a char value. Unsafe. Not a security issue,
because the characters come from the gdb client, which is trusted.
The obvious fix would be casting @ch to unsigned char. But note that
gdb_read_byte() already casts @ch to uint8_t in many places. Uses of
@ch without such a cast:
(1) Compare to a character constant with == or !=
(2) s->linesum += ch
(3) Store ch or ch ^ 0x20 into s->line_buf[]
(4) Check for invalid RLE count:
ch < ' ' || ch == '#' || ch == '$' || ch > 126
(5) Pass to isxdigit()
(6) Pass to fromhex()
Change the parameter type from int to uint8_t, and drop the now
redundant casts. Affects the above uses as follows:
(1) No change: the character constants are all non-negative.
(2) Effectively no change: we only ever use s->linesum & 0xff, and
s->linesum is int.
(3) No change: s->line_buf[] is char[].
(4) No change.
(5) Avoid undefined behavior.
(6) No change: only reached when isxdigit(ch)
Signed-off-by: Markus Armbruster <address@hidden>
Message-Id: <address@hidden>
Commit: db3d11ee3f0cb851124830172f0a93c3d77a450a
https://github.com/qemu/qemu/commit/db3d11ee3f0cb851124830172f0a93c3d77a450a
Author: Markus Armbruster <address@hidden>
Date: 2019-05-22 (Wed, 22 May 2019)
Changed paths:
M util/cutils.c
Log Message:
-----------
cutils: Simplify how parse_uint() checks for whitespace
Use qemu_isspace() so we don't have to cast to unsigned char.
Signed-off-by: Markus Armbruster <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Commit: 94b63b6007cb03dc77ab0833259c1e0d5e6b6fc1
https://github.com/qemu/qemu/commit/94b63b6007cb03dc77ab0833259c1e0d5e6b6fc1
Author: Peter Maydell <address@hidden>
Date: 2019-05-23 (Thu, 23 May 2019)
Changed paths:
M gdbstub.c
M qemu-bridge-helper.c
M tests/vhost-user-bridge.c
M util/cutils.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/armbru/tags/pull-misc-2019-05-22' into
staging
Miscellaneous patches for 2019-05-22
# gpg: Signature made Wed 22 May 2019 14:41:08 BST
# gpg: using RSA key 3870B400EB918653
# gpg: Good signature from "Markus Armbruster <address@hidden>" [full]
# gpg: aka "Markus Armbruster <address@hidden>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653
* remotes/armbru/tags/pull-misc-2019-05-22:
cutils: Simplify how parse_uint() checks for whitespace
gdbstub: Fix misuse of isxdigit()
gdbstub: Reject invalid RLE repeat counts
tests/vhost-user-bridge: Fix misuse of isdigit()
qemu-bridge-helper: Fix misuse of isspace()
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/297a082700d2...94b63b6007cb
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] b8c351: qemu-bridge-helper: Fix misuse of isspace(),
Peter Maydell <=