| Message ID | 20230508200343.791450-8-eblake@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fix qemu_strtosz() read-out-of-bounds | expand |
On Mon, May 08, 2023 at 03:03:39PM -0500, Eric Blake wrote: > As shown in the previous commit, qemu_strtosz_MiB sometimes leaves the > result value untoutched (we have to audit further to learn that in untouched > that case, the QAPI generator says that visit_type_NumaOptions() will > have zero-initialized it), and sometimes leaves it with the value of a > partial parse before -EINVAL occurs because of trailing garbage. > Rather than blindly treating any string the user may throw at us as > valid, we should check for parse failures. > > Fiuxes: cc001888 ("numa: fixup parsed NumaNodeOptions earlier", v2.11.0) > Signed-off-by: Eric Blake <eblake@redhat.com> > ---
diff --git a/hw/core/numa.c b/hw/core/numa.c index d8d36b16d80..f08956ddb0f 100644 --- a/hw/core/numa.c +++ b/hw/core/numa.c @@ -531,10 +531,17 @@ static int parse_numa(void *opaque, QemuOpts *opts, Error **errp) /* Fix up legacy suffix-less format */ if ((object->type == NUMA_OPTIONS_TYPE_NODE) && object->u.node.has_mem) { const char *mem_str = qemu_opt_get(opts, "mem"); - qemu_strtosz_MiB(mem_str, NULL, &object->u.node.mem); + int ret = qemu_strtosz_MiB(mem_str, NULL, &object->u.node.mem); + + if (ret < 0) { + error_setg_errno(&err, -ret, "could not parse memory size '%s'", + mem_str); + } } - set_numa_options(ms, object, &err); + if (!err) { + set_numa_options(ms, object, &err); + } qapi_free_NumaOptions(object); if (err) {
As shown in the previous commit, qemu_strtosz_MiB sometimes leaves the result value untoutched (we have to audit further to learn that in that case, the QAPI generator says that visit_type_NumaOptions() will have zero-initialized it), and sometimes leaves it with the value of a partial parse before -EINVAL occurs because of trailing garbage. Rather than blindly treating any string the user may throw at us as valid, we should check for parse failures. Fiuxes: cc001888 ("numa: fixup parsed NumaNodeOptions earlier", v2.11.0) Signed-off-by: Eric Blake <eblake@redhat.com> --- hw/core/numa.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)