[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 1781280] [NEW] QEMU ignores all but the first control
|
From: |
Jonas Schievink |
|
Subject: |
[Qemu-devel] [Bug 1781280] [NEW] QEMU ignores all but the first control message sent over a Unix socket |
|
Date: |
Wed, 11 Jul 2018 20:17:24 -0000 |
Public bug reported:
I've written a test program that sends both an SCM_CREDENTIALS and an
SCM_RIGHTS cmsg in the same sendmsg call. On native x86-64, armv6 and
armv7 Linux, this works as expected (the recvmsg receives both control
messages). On QEMU (both qemu-x86_64 and qemu-arm), only the first
message is received.
I've traced the problem back to a glibc bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=13500
This means that writing control messages into an uninitialized buffer
makes CMSG_NXTHDR erroneously return NULL even though there's still
space inside the allocated buffer. QEMU's logic inside
`target_to_host_cmsg` is a bit questionable here, since it stops
encoding cmsgs as soon as *either* the host or the target buffer reaches
its end, so we lose the target's cmsgs when the host's buffer runs out.
However, the host buffer should *never* reach its end before the target
buffer does, so an assertion might be more useful there. Anyway, the
actual fix for this bug is simply zeroing out the buffer created for the
host. I've attached a patch doing that and verified that it fixes the
issue.
The test program I used can be found here: https://gist.github.com
/jonas-schievink/cb6e6584a055539d2113f22d91068e2d
** Affects: qemu
Importance: Undecided
Status: New
** Patch added: "0001-Zero-out-the-host-s-msg_control-buffer.patch"
https://bugs.launchpad.net/bugs/1781280/+attachment/5162557/+files/0001-Zero-out-the-host-s-msg_control-buffer.patch
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1781280
Title:
QEMU ignores all but the first control message sent over a Unix socket
Status in QEMU:
New
Bug description:
I've written a test program that sends both an SCM_CREDENTIALS and an
SCM_RIGHTS cmsg in the same sendmsg call. On native x86-64, armv6 and
armv7 Linux, this works as expected (the recvmsg receives both control
messages). On QEMU (both qemu-x86_64 and qemu-arm), only the first
message is received.
I've traced the problem back to a glibc bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=13500
This means that writing control messages into an uninitialized buffer
makes CMSG_NXTHDR erroneously return NULL even though there's still
space inside the allocated buffer. QEMU's logic inside
`target_to_host_cmsg` is a bit questionable here, since it stops
encoding cmsgs as soon as *either* the host or the target buffer
reaches its end, so we lose the target's cmsgs when the host's buffer
runs out. However, the host buffer should *never* reach its end before
the target buffer does, so an assertion might be more useful there.
Anyway, the actual fix for this bug is simply zeroing out the buffer
created for the host. I've attached a patch doing that and verified
that it fixes the issue.
The test program I used can be found here: https://gist.github.com
/jonas-schievink/cb6e6584a055539d2113f22d91068e2d
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1781280/+subscriptions
- [Qemu-devel] [Bug 1781280] [NEW] QEMU ignores all but the first control message sent over a Unix socket,
Jonas Schievink <=