[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 60/78] qga-win: prevent crash when executing guest-file-read with
|
From: |
Michael Roth |
|
Subject: |
[PATCH 60/78] qga-win: prevent crash when executing guest-file-read with large count |
|
Date: |
Tue, 16 Jun 2020 09:15:29 -0500 |
From: Basil Salman <basil@daynix.com>
guest-file-read command is currently implemented to read from a
file handle count number of bytes. when executed with a very large count number
qemu-ga crashes.
after some digging turns out that qemu-ga crashes after trying to allocate
a buffer large enough to save the data read in it, the buffer was allocated
using
g_malloc0 which is not fail safe, and results a crash in case of failure.
g_malloc0 was replaced with g_try_malloc0() which returns NULL on failure,
A check was added for that case in order to prevent qemu-ga from crashing
and to send a response to the qemu-ga client accordingly.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1594054
Signed-off-by: Basil Salman <basil@daynix.com>
Reported-by: Fakhri Zulkifli <mohdfakhrizulkifli@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
(cherry picked from commit 807e2b6fce022707418bc8f61c069d91c613b3d2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
qga/commands-win32.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/qga/commands-win32.c b/qga/commands-win32.c
index 55ba5b263a..01e02e4440 100644
--- a/qga/commands-win32.c
+++ b/qga/commands-win32.c
@@ -342,7 +342,13 @@ GuestFileRead *qmp_guest_file_read(int64_t handle, bool
has_count,
}
fh = gfh->fh;
- buf = g_malloc0(count+1);
+ buf = g_try_malloc0(count + 1);
+ if (!buf) {
+ error_setg(errp,
+ "failed to allocate sufficient memory "
+ "to complete the requested service");
+ return NULL;
+ }
is_ok = ReadFile(fh, buf, count, &read_count, NULL);
if (!is_ok) {
error_setg_win32(errp, GetLastError(), "failed to read file");
--
2.17.1
- [PATCH 51/78] scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[], (continued)
- [PATCH 51/78] scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[], Michael Roth, 2020/06/16
- [PATCH 50/78] virtio: gracefully handle invalid region caches, Michael Roth, 2020/06/16
- [PATCH 52/78] block/qcow2-threads: fix qcow2_decompress, Michael Roth, 2020/06/16
- [PATCH 54/78] block/block-copy: fix progress calculation, Michael Roth, 2020/06/16
- [PATCH 53/78] job: refactor progress to separate object, Michael Roth, 2020/06/16
- [PATCH 56/78] block/io: fix bdrv_co_do_copy_on_readv, Michael Roth, 2020/06/16
- [PATCH 55/78] target/ppc: Fix rlwinm on ppc64, Michael Roth, 2020/06/16
- [PATCH 57/78] compat: disable edid on correct virtio-gpu device, Michael Roth, 2020/06/16
- [PATCH 58/78] qga: Installer: Wait for installation to finish, Michael Roth, 2020/06/16
- [PATCH 59/78] qga-win: Handle VSS_E_PROVIDER_ALREADY_REGISTERED error, Michael Roth, 2020/06/16
- [PATCH 60/78] qga-win: prevent crash when executing guest-file-read with large count,
Michael Roth <=
- [PATCH 05/78] target/arm: ensure we use current exception state after SCR update, Michael Roth, 2020/06/16
- [PATCH 61/78] qga: Fix undefined C behavior, Michael Roth, 2020/06/16
- [PATCH 62/78] qemu-ga: document vsock-listen in the man page, Michael Roth, 2020/06/16
- [PATCH 63/78] hw/i386/amd_iommu.c: Fix corruption of log events passed to guest, Michael Roth, 2020/06/16
- [PATCH 64/78] tcg/i386: Fix INDEX_op_dup2_vec, Michael Roth, 2020/06/16
- [PATCH 65/78] dump: Fix writing of ELF section, Michael Roth, 2020/06/16
- [PATCH 66/78] xen-block: Fix double qlist remove and request leak, Michael Roth, 2020/06/16
- [PATCH 67/78] vhost-user-gpu: Release memory returned by vu_queue_pop() with free(), Michael Roth, 2020/06/16
- [PATCH 68/78] target/ppc: Fix mtmsr(d) L=1 variant that loses interrupts, Michael Roth, 2020/06/16
- [PATCH 69/78] hostmem: don't use mbind() if host-nodes is empty, Michael Roth, 2020/06/16