Re: [PULL 18/40] linux-user: Fix types in uaccess.c

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PULL 18/40] linux-user: Fix types in uaccess.c

From:	Peter Maydell
Subject:	Re: [PULL 18/40] linux-user: Fix types in uaccess.c
Date:	Wed, 10 Mar 2021 15:48:50 +0000

On Fri, 19 Feb 2021 at 09:21, Laurent Vivier <laurent@vivier.eu> wrote:
>
> Hi Richard,
>
> I think this commit is the cause of CID 1446711.
>
> There is no concistancy between the various declarations of unlock_user():
>
> bsd-user/qemu.h
>
> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr,
>                                long len)
>
> include/exec/softmmu-semi.h
>
> static void softmmu_unlock_user(CPUArchState *env, void *p, target_ulong addr,
>                                 target_ulong len)
> ...
> #define unlock_user(s, args, len) softmmu_unlock_user(env, s, args, len)
>
> linux-user/qemu.h
>
> #ifndef DEBUG_REMAP
> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t 
> len)
> { }
> #else
> void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
> #endif
>
> To take a signed long here allows to unconditionnaly call the unlock_user() 
> function after the
> syscall and not to copy the buffer if the value is negative.

Hi; what was the conclusion here about how best to fix the Coverity issue?

To save people looking it up, Coverity complains because in the
TARGET_NR_readlinkat case for linux-user we do:
            void *p2;
            p  = lock_user_string(arg2);
            p2 = lock_user(VERIFY_WRITE, arg3, arg4, 0);
            if (!p || !p2) {
                ret = -TARGET_EFAULT;
            } else if (is_proc_myself((const char *)p, "exe")) {
                char real[PATH_MAX], *temp;
                temp = realpath(exec_path, real);
                ret = temp == NULL ? get_errno(-1) : strlen(real) ;
                snprintf((char *)p2, arg4, "%s", real);
            } else {
                ret = get_errno(readlinkat(arg1, path(p), p2, arg4));
            }
            unlock_user(p2, arg3, ret);
            unlock_user(p, arg2, 0);

and in the "ret = -TARGET_EFAULT" and also the get_errno(readlinkat(...))
codepaths we can set ret to a negative number, which Coverity thinks
is suspicious given that unlock_user()'s new prototype says it
is an unsigned value. It's correct to be suspicious, because we really
did change from doing a >=0 to a !=0 check on the length.

Unless we really want to audit all the unlock_user() callsites,
going back to the previous semantics seems sensible.

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PULL 18/40] linux-user: Fix types in uaccess.c, Peter Maydell <=
- Re: [PULL 18/40] linux-user: Fix types in uaccess.c, Laurent Vivier, 2021/03/10
  - Re: [PULL 18/40] linux-user: Fix types in uaccess.c, Richard Henderson, 2021/03/11

Prev by Date: RE: [PATCH v2 02/10] target/hexagon: import README for idef-parser
Next by Date: [PATCH] usb: remove '-usbdevice u2f-key'
Previous by thread: [PATCH] qemu-timer: allow freeing a NULL timer
Next by thread: Re: [PULL 18/40] linux-user: Fix types in uaccess.c
Index(es):
- Date
- Thread