Message ID | 20231025101245.751559-2-clg@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | vfio/pci: Fix buffer overrun when writing the VF token | expand |
Cédric Le Goater <clg@redhat.com> wrote: > qemu_uuid_unparse() includes a trailing NUL when writing the uuid > string and the buffer size should be UUID_FMT_LEN + 1 bytes. Add a > define for this size and use it where required. > > Cc: Fam Zheng <fam@euphon.net> > Signed-off-by: Cédric Le Goater <clg@redhat.com> > --- > include/qemu/uuid.h | 1 + > block/parallels-ext.c | 2 +- > block/vdi.c | 2 +- > hw/core/qdev-properties-system.c | 2 +- > hw/hyperv/vmbus.c | 4 ++-- > migration/savevm.c | 4 ++-- > tests/unit/test-uuid.c | 2 +- > util/uuid.c | 2 +- > 8 files changed, 10 insertions(+), 9 deletions(-) > > diff --git a/include/qemu/uuid.h b/include/qemu/uuid.h Reviewed-by: Juan Quintela <quintela@redhat.com>
On 25/10/23 12:12, Cédric Le Goater wrote: > qemu_uuid_unparse() includes a trailing NUL when writing the uuid > string and the buffer size should be UUID_FMT_LEN + 1 bytes. Add a > define for this size and use it where required. > > Cc: Fam Zheng <fam@euphon.net> > Signed-off-by: Cédric Le Goater <clg@redhat.com> > --- > include/qemu/uuid.h | 1 + > block/parallels-ext.c | 2 +- > block/vdi.c | 2 +- > hw/core/qdev-properties-system.c | 2 +- > hw/hyperv/vmbus.c | 4 ++-- > migration/savevm.c | 4 ++-- > tests/unit/test-uuid.c | 2 +- > util/uuid.c | 2 +- > 8 files changed, 10 insertions(+), 9 deletions(-) Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> > diff --git a/include/qemu/uuid.h b/include/qemu/uuid.h > index e24a1099e45f2dfc330a578d3ccbe74f3e52e6c1..4e7afaf1d5bd5d382fefbd6f6275d69cf25e7483 100644 > --- a/include/qemu/uuid.h > +++ b/include/qemu/uuid.h > @@ -79,6 +79,7 @@ typedef struct { > "%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx" > > #define UUID_FMT_LEN 36 > +#define UUID_STR_LEN (UUID_FMT_LEN + 1) > > #define UUID_NONE "00000000-0000-0000-0000-000000000000" After this patch, when do we need UUID_FMT_LEN? If it is dangerous, better drop it and keep: #define UUID_STR_LEN (36 + 1) or #define UUID_STR_LEN (36 + sizeof('\0'))
diff --git a/include/qemu/uuid.h b/include/qemu/uuid.h index e24a1099e45f2dfc330a578d3ccbe74f3e52e6c1..4e7afaf1d5bd5d382fefbd6f6275d69cf25e7483 100644 --- a/include/qemu/uuid.h +++ b/include/qemu/uuid.h @@ -79,6 +79,7 @@ typedef struct { "%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx" #define UUID_FMT_LEN 36 +#define UUID_STR_LEN (UUID_FMT_LEN + 1) #define UUID_NONE "00000000-0000-0000-0000-000000000000" diff --git a/block/parallels-ext.c b/block/parallels-ext.c index 8a109f005ae73e848658e3f044968307a0bfd99d..4d8ecf5047abfe4ba0e7273139638649f5d101a0 100644 --- a/block/parallels-ext.c +++ b/block/parallels-ext.c @@ -130,7 +130,7 @@ static BdrvDirtyBitmap *parallels_load_bitmap(BlockDriverState *bs, g_autofree uint64_t *l1_table = NULL; BdrvDirtyBitmap *bitmap; QemuUUID uuid; - char uuidstr[UUID_FMT_LEN + 1]; + char uuidstr[UUID_STR_LEN]; int i; if (data_size < sizeof(bf)) { diff --git a/block/vdi.c b/block/vdi.c index fd7e3653832f890776e03a845a157fede10655b3..fa6e5e198c5d8f4047f0ecddece2493158fe6bc2 100644 --- a/block/vdi.c +++ b/block/vdi.c @@ -239,7 +239,7 @@ static void vdi_header_to_le(VdiHeader *header) static void vdi_header_print(VdiHeader *header) { - char uuidstr[37]; + char uuidstr[UUID_STR_LEN]; QemuUUID uuid; logout("text %s", header->text); logout("signature 0x%08x\n", header->signature); diff --git a/hw/core/qdev-properties-system.c b/hw/core/qdev-properties-system.c index 8e0acf50d6ca045938a44d6d72547607f919ca79..e2130c7d989ebcdb3195cc6040025c732acf4338 100644 --- a/hw/core/qdev-properties-system.c +++ b/hw/core/qdev-properties-system.c @@ -1100,7 +1100,7 @@ static void get_uuid(Object *obj, Visitor *v, const char *name, void *opaque, { Property *prop = opaque; QemuUUID *uuid = object_field_prop_ptr(obj, prop); - char buffer[UUID_FMT_LEN + 1]; + char buffer[UUID_STR_LEN]; char *p = buffer; qemu_uuid_unparse(uuid, buffer); diff --git a/hw/hyperv/vmbus.c b/hw/hyperv/vmbus.c index 271289f902f812ad1aeac3ee426249bba02a9d41..c64eaa5a46a04433dfc33313bbd4fdda8c619868 100644 --- a/hw/hyperv/vmbus.c +++ b/hw/hyperv/vmbus.c @@ -2271,7 +2271,7 @@ static void vmbus_dev_realize(DeviceState *dev, Error **errp) VMBus *vmbus = VMBUS(qdev_get_parent_bus(dev)); BusChild *child; Error *err = NULL; - char idstr[UUID_FMT_LEN + 1]; + char idstr[UUID_STR_LEN]; assert(!qemu_uuid_is_null(&vdev->instanceid)); @@ -2467,7 +2467,7 @@ static char *vmbus_get_dev_path(DeviceState *dev) static char *vmbus_get_fw_dev_path(DeviceState *dev) { VMBusDevice *vdev = VMBUS_DEVICE(dev); - char uuid[UUID_FMT_LEN + 1]; + char uuid[UUID_STR_LEN]; qemu_uuid_unparse(&vdev->instanceid, uuid); return g_strdup_printf("%s@%s", qdev_fw_name(dev), uuid); diff --git a/migration/savevm.c b/migration/savevm.c index 8622f229e517f2ad8af80d3654146c16827be2e1..d5f3eafe3b15e289fd64ef5b6ded8bb3b1670596 100644 --- a/migration/savevm.c +++ b/migration/savevm.c @@ -469,8 +469,8 @@ static bool vmstate_uuid_needed(void *opaque) static int vmstate_uuid_post_load(void *opaque, int version_id) { SaveState *state = opaque; - char uuid_src[UUID_FMT_LEN + 1]; - char uuid_dst[UUID_FMT_LEN + 1]; + char uuid_src[UUID_STR_LEN]; + char uuid_dst[UUID_STR_LEN]; if (!qemu_uuid_set) { /* diff --git a/tests/unit/test-uuid.c b/tests/unit/test-uuid.c index aedc125ae98fb3a0b343603f2f0d022f4b8161c4..739b91583cfd97bb4d18256408338695fe87ef15 100644 --- a/tests/unit/test-uuid.c +++ b/tests/unit/test-uuid.c @@ -145,7 +145,7 @@ static void test_uuid_unparse(void) int i; for (i = 0; i < ARRAY_SIZE(uuid_test_data); i++) { - char out[37]; + char out[UUID_STR_LEN]; if (!uuid_test_data[i].check_unparse) { continue; diff --git a/util/uuid.c b/util/uuid.c index d71aa79e5ea433a9f3216b0b24d6276086607604..234619dd5e69a694d47bb299eb2536e5790b9863 100644 --- a/util/uuid.c +++ b/util/uuid.c @@ -51,7 +51,7 @@ int qemu_uuid_is_equal(const QemuUUID *lhv, const QemuUUID *rhv) void qemu_uuid_unparse(const QemuUUID *uuid, char *out) { const unsigned char *uu = &uuid->data[0]; - snprintf(out, UUID_FMT_LEN + 1, UUID_FMT, + snprintf(out, UUID_STR_LEN, UUID_FMT, uu[0], uu[1], uu[2], uu[3], uu[4], uu[5], uu[6], uu[7], uu[8], uu[9], uu[10], uu[11], uu[12], uu[13], uu[14], uu[15]); }
qemu_uuid_unparse() includes a trailing NUL when writing the uuid string and the buffer size should be UUID_FMT_LEN + 1 bytes. Add a define for this size and use it where required. Cc: Fam Zheng <fam@euphon.net> Signed-off-by: Cédric Le Goater <clg@redhat.com> --- include/qemu/uuid.h | 1 + block/parallels-ext.c | 2 +- block/vdi.c | 2 +- hw/core/qdev-properties-system.c | 2 +- hw/hyperv/vmbus.c | 4 ++-- migration/savevm.c | 4 ++-- tests/unit/test-uuid.c | 2 +- util/uuid.c | 2 +- 8 files changed, 10 insertions(+), 9 deletions(-)