[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 06/54] block/nbd: fix segmentation fault when .desc
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 06/54] block/nbd: fix segmentation fault when .desc is not null-terminated |
|
Date: |
Tue, 6 Feb 2018 13:14:27 -0600 |
From: Murilo Opsfelder Araujo <address@hidden>
The find_desc_by_name() from util/qemu-option.c relies on the .name not being
NULL to call strcmp(). This check becomes unsafe when the list is not
NULL-terminated, which is the case of nbd_runtime_opts in block/nbd.c, and can
result in segmentation fault when strcmp() tries to access an invalid memory:
#0 0x00007fff8c75f7d4 in __strcmp_power9 () from /lib64/libc.so.6
#1 0x00000000102d3ec8 in find_desc_by_name (desc=0x1036d6f0,
name=0x28e46670 "server.path") at util/qemu-option.c:166
#2 0x00000000102d93e0 in qemu_opts_absorb_qdict (opts=0x28e47a80,
qdict=0x28e469a0, errp=0x7fffec247c98) at util/qemu-option.c:1026
#3 0x000000001012a2e4 in nbd_open (bs=0x28e42290, options=0x28e469a0,
flags=24578, errp=0x7fffec247d80) at block/nbd.c:406
#4 0x00000000100144e8 in bdrv_open_driver (bs=0x28e42290, drv=0x1036e070
<bdrv_nbd_unix>, node_name=0x0, options=0x28e469a0, open_flags=24578,
errp=0x7fffec247f50) at block.c:1135
#5 0x0000000010015b04 in bdrv_open_common (bs=0x28e42290, file=0x0,
options=0x28e469a0, errp=0x7fffec247f50) at block.c:1395
>From gdb, the desc[i].name was not NULL and resulted in strcmp() accessing an
invalid memory:
>>> p desc[5]
$8 = {
name = 0x1037f098 "R27A",
type = 1561964883,
help = 0xc0bbb23e <error: Cannot access memory at address 0xc0bbb23e>,
def_value_str = 0x2 <error: Cannot access memory at address 0x2>
}
>>> p desc[6]
$9 = {
name = 0x103dac78 <__gcov0.do_qemu_init_bdrv_nbd_init> "\001",
type = 272101528,
help = 0x29ec0b754403e31f <error: Cannot access memory at address
0x29ec0b754403e31f>,
def_value_str = 0x81f343b9 <error: Cannot access memory at address
0x81f343b9>
}
This patch fixes the segmentation fault in strcmp() by adding a NULL element at
the end of nbd_runtime_opts.desc list, which is the common practice to most of
other structs like runtime_opts in block/null.c. Thus, the desc[i].name != NULL
check becomes safe because it will not evaluate to true when .desc list reached
its end.
Reported-by: R. Nageswara Sastry <address@hidden>
Buglink: https://bugs.launchpad.net/qemu/+bug/1727259
Signed-off-by: Murilo Opsfelder Araujo <address@hidden>
Message-Id: <address@hidden>
CC: address@hidden
Fixes: 7ccc44fd7d1dfa62c4d6f3a680df809d6e7068ce
Signed-off-by: Eric Blake <address@hidden>
(cherry picked from commit c4365735a7d38f4355c6f77e6670d3972315f7c2)
Signed-off-by: Michael Roth <address@hidden>
---
block/nbd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/nbd.c b/block/nbd.c
index a50d24b50a..8b8ba56cdd 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -388,6 +388,7 @@ static QemuOptsList nbd_runtime_opts = {
.type = QEMU_OPT_STRING,
.help = "ID of the TLS credentials to use",
},
+ { /* end of list */ }
},
};
--
2.11.0
- [Qemu-stable] [PATCH 36/54] spapr: don't initialize PATB entry if max-cpu-compat < power9, (continued)
- [Qemu-stable] [PATCH 36/54] spapr: don't initialize PATB entry if max-cpu-compat < power9, Michael Roth, 2018/02/06
- [Qemu-stable] [PATCH 52/54] target/ppc/spapr_caps: Add new tristate cap safe_bounds_check, Michael Roth, 2018/02/06
- [Qemu-stable] [PATCH 39/54] spapr: Treat Hardware Transactional Memory (HTM) as an optional capability, Michael Roth, 2018/02/06
- [Qemu-stable] [PATCH 38/54] spapr: Capabilities infrastructure, Michael Roth, 2018/02/06
- [Qemu-stable] [PATCH 40/54] spapr: Validate capabilities on migration, Michael Roth, 2018/02/06
- [Qemu-stable] [PATCH 50/54] target/ppc/spapr_caps: Add support for tristate spapr_capabilities, Michael Roth, 2018/02/06
- [Qemu-stable] [PATCH 51/54] target/ppc/spapr_caps: Add new tristate cap safe_cache, Michael Roth, 2018/02/06
- [Qemu-stable] [PATCH 07/54] block: Make bdrv_drain_invoke() recursive, Michael Roth, 2018/02/06
- [Qemu-stable] [PATCH 08/54] block: Call .drain_begin only once in bdrv_drain_all_begin(), Michael Roth, 2018/02/06
- [Qemu-stable] [PATCH 05/54] qemu-pr-helper: miscellaneous fixes, Michael Roth, 2018/02/06
- [Qemu-stable] [PATCH 06/54] block/nbd: fix segmentation fault when .desc is not null-terminated,
Michael Roth <=
- Re: [Qemu-stable] [Qemu-devel] [PATCH 00/54] Patch Round-up for stable 2.11.1, freeze on 2018-02-12, Thomas Huth, 2018/02/07
- Re: [Qemu-stable] [Qemu-devel] [PATCH 00/54] Patch Round-up for stable 2.11.1, freeze on 2018-02-12, Cornelia Huck, 2018/02/07
- Re: [Qemu-stable] [PATCH 00/54] Patch Round-up for stable 2.11.1, freeze on 2018-02-12, Greg Kurz, 2018/02/07
- Re: [Qemu-stable] [PATCH 00/54] Patch Round-up for stable 2.11.1, freeze on 2018-02-12, Peter Lieven, 2018/02/08
- Re: [Qemu-stable] [Qemu-devel] [PATCH 00/54] Patch Round-up for stable 2.11.1, freeze on 2018-02-12, Philippe Mathieu-Daudé, 2018/02/08
- [Qemu-stable] [PATCH 10/54] vfio: Fix vfio-kvm group registration, Michael Roth, 2018/02/08