[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 08/14] virtio-net: Fix duplex=... and speed=... error hand
|
From: |
Michael S. Tsirkin |
|
Subject: |
Re: [PATCH v2 08/14] virtio-net: Fix duplex=... and speed=... error handling |
|
Date: |
Wed, 22 Apr 2020 10:24:39 -0400 |
On Wed, Apr 22, 2020 at 03:07:13PM +0200, Markus Armbruster wrote:
> virtio_net_device_realize() rejects invalid duplex and speed values.
> The error handling is broken:
>
> $ ../qemu/bld-sani/x86_64-softmmu/qemu-system-x86_64 -S -display none
> -monitor stdio
> QEMU 4.2.93 monitor - type 'help' for more information
> (qemu) device_add virtio-net,duplex=x
> Error: 'duplex' must be 'half' or 'full'
> (qemu) c
> =================================================================
> ==15654==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x62e000014590 at pc 0x560b75c8dc13 bp 0x7fffdf1a6950 sp 0x7fffdf1a6940
> READ of size 8 at 0x62e000014590 thread T0
> #0 0x560b75c8dc12 in object_dynamic_cast_assert
> /work/armbru/qemu/qom/object.c:826
> #1 0x560b74c38ac0 in virtio_vmstate_change
> /work/armbru/qemu/hw/virtio/virtio.c:3210
> #2 0x560b74d9765e in vm_state_notify /work/armbru/qemu/softmmu/vl.c:1271
> #3 0x560b7494ba72 in vm_prepare_start /work/armbru/qemu/cpus.c:2156
> #4 0x560b7494bacd in vm_start /work/armbru/qemu/cpus.c:2162
> #5 0x560b75a7d890 in qmp_cont /work/armbru/qemu/monitor/qmp-cmds.c:160
> #6 0x560b75a8d70a in hmp_cont /work/armbru/qemu/monitor/hmp-cmds.c:1043
> #7 0x560b75a799f2 in handle_hmp_command
> /work/armbru/qemu/monitor/hmp.c:1082
> [...]
>
> 0x62e000014590 is located 33168 bytes inside of 42288-byte region
> [0x62e00000c400,0x62e000016930)
> freed by thread T1 here:
> #0 0x7feadd39491f in __interceptor_free (/lib64/libasan.so.5+0x10d91f)
> #1 0x7feadcebcd7c in g_free (/lib64/libglib-2.0.so.0+0x55d7c)
> #2 0x560b75c8fd40 in object_unref /work/armbru/qemu/qom/object.c:1128
> #3 0x560b7498a625 in memory_region_unref /work/armbru/qemu/memory.c:1762
> #4 0x560b74999fa4 in do_address_space_destroy
> /work/armbru/qemu/memory.c:2788
> #5 0x560b762362fc in call_rcu_thread /work/armbru/qemu/util/rcu.c:283
> #6 0x560b761c8884 in qemu_thread_start
> /work/armbru/qemu/util/qemu-thread-posix.c:519
> #7 0x7fead9be34bf in start_thread (/lib64/libpthread.so.0+0x84bf)
>
> previously allocated by thread T0 here:
> #0 0x7feadd394d18 in __interceptor_malloc (/lib64/libasan.so.5+0x10dd18)
> #1 0x7feadcebcc88 in g_malloc (/lib64/libglib-2.0.so.0+0x55c88)
> #2 0x560b75c8cf8a in object_new /work/armbru/qemu/qom/object.c:699
> #3 0x560b75010ad9 in qdev_device_add
> /work/armbru/qemu/qdev-monitor.c:654
> #4 0x560b750120c2 in qmp_device_add /work/armbru/qemu/qdev-monitor.c:805
> #5 0x560b75012c1b in hmp_device_add /work/armbru/qemu/qdev-monitor.c:905
> [...]
> ==15654==ABORTING
>
> Cause: virtio_net_device_realize() neglects to bail out after setting
> the error. Fix that.
>
> Fixes: 9473939ed7addcaaeb8fde5c093918fb7fa0919c
> Cc: "Michael S. Tsirkin" <address@hidden>
> Cc: Jason Wang <address@hidden>
> Signed-off-by: Markus Armbruster <address@hidden>
> Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Acked-by: Michael S. Tsirkin <address@hidden>
Feel free to merge with the rest of the patchset.
> ---
> hw/net/virtio-net.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index a46e3b37a7..b52ff4ab63 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -2947,6 +2947,7 @@ static void virtio_net_device_realize(DeviceState *dev,
> Error **errp)
> n->net_conf.duplex = DUPLEX_FULL;
> } else {
> error_setg(errp, "'duplex' must be 'half' or 'full'");
> + return;
> }
> n->host_features |= (1ULL << VIRTIO_NET_F_SPEED_DUPLEX);
> } else {
> @@ -2955,7 +2956,9 @@ static void virtio_net_device_realize(DeviceState *dev,
> Error **errp)
>
> if (n->net_conf.speed < SPEED_UNKNOWN) {
> error_setg(errp, "'speed' must be between 0 and INT_MAX");
> - } else if (n->net_conf.speed >= 0) {
> + return;
> + }
> + if (n->net_conf.speed >= 0) {
> n->host_features |= (1ULL << VIRTIO_NET_F_SPEED_DUPLEX);
> }
>
> --
> 2.21.1
- Re: [PATCH v2 12/14] tests/test-logging: Fix test for -dfilter 0..0xffffffffffffffff, (continued)
[PATCH v2 06/14] fdc: Fix fallback=auto error handling, Markus Armbruster, 2020/04/22
[PATCH v2 03/14] cpus: Fix configure_icount() error API violation, Markus Armbruster, 2020/04/22
[PATCH v2 10/14] io: Fix qio_channel_socket_close() error handling, Markus Armbruster, 2020/04/22
[PATCH v2 11/14] migration/colo: Fix qmp_xen_colo_do_checkpoint() error handling, Markus Armbruster, 2020/04/22
[PATCH v2 07/14] bochs-display: Fix vgamem=SIZE error handling, Markus Armbruster, 2020/04/22
[PATCH v2 13/14] qga: Fix qmp_guest_get_memory_blocks() error handling, Markus Armbruster, 2020/04/22
[PATCH v2 08/14] virtio-net: Fix duplex=... and speed=... error handling, Markus Armbruster, 2020/04/22
- Re: [PATCH v2 08/14] virtio-net: Fix duplex=... and speed=... error handling,
Michael S. Tsirkin <=
[PATCH v2 02/14] block/file-posix: Fix check_cache_dropped() error handling, Markus Armbruster, 2020/04/22
[PATCH v2 04/14] cpus: Proper range-checking for -icount shift=N, Markus Armbruster, 2020/04/22
[PATCH v2 09/14] xen/pt: Fix flawed conversion to realize(), Markus Armbruster, 2020/04/22
[PATCH v2 14/14] qga: Fix qmp_guest_suspend_{disk, ram}() error handling, Markus Armbruster, 2020/04/22
Re: [PATCH v2 00/14] Miscellaneous error handling fixes, no-reply, 2020/04/22