[v2,0/3] vfio/pci: Fix buffer overrun when writing the VF token

Message ID	20231026070636.1165037-1-clg@redhat.com (mailing list archive)
Headers	show Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> From: =?utf-8?q?C=C3=A9dric_Le_Goater?= <clg@redhat.com> To: qemu-devel@nongnu.org Cc: Stefan Hajnoczi <stefanha@redhat.com>, "Denis V . Lunev" <den@openvz.org>, Kevin Wolf <kwolf@redhat.com>, Hanna Reitz <hreitz@redhat.com>, Stefan Weil <sw@weilnetz.de>, Paolo Bonzini <pbonzini@redhat.com>, =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= <berrange@redhat.com>, Eduardo Habkost <eduardo@habkost.net>, "Maciej S . Szmigiero" <maciej.szmigiero@oracle.com>, Fam Zheng <fam@euphon.net>, Juan Quintela <quintela@redhat.com>, Peter Xu <peterx@redhat.com>, Fabiano Rosas <farosas@suse.de>, Leonardo Bras <leobras@redhat.com>, =?utf-8?q?C=C3=A9dric_Le_Goater?= <clg@redhat.com> Subject: [PATCH v2 0/3] vfio/pci: Fix buffer overrun when writing the VF token Date: Thu, 26 Oct 2023 09:06:33 +0200 Message-ID: <20231026070636.1165037-1-clg@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2404:9400:2221:ea00::3; envelope-from=SRS0=sG9D=GI=redhat.com=clg@ozlabs.org; helo=gandalf.ozlabs.org X-Spam_score_int: -39 X-Spam_score: -4.0 X-Spam_bar: ---- X-Spam_report: (-4.0 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Series	vfio/pci: Fix buffer overrun when writing the VF token \| expand [v2,0/3] vfio/pci: Fix buffer overrun when writing the VF token [v2,1/3] util/uuid: Add UUID_STR_LEN definition [v2,2/3] vfio/pci: Fix buffer overrun when writing the VF token [v2,3/3] util/uuid: Remove UUID_FMT_LEN

Cédric Le Goater Oct. 26, 2023, 7:06 a.m. UTC

Hello,

This series fixes a buffer overrun in VFIO. The buffer used in
vfio_realize() by qemu_uuid_unparse() is too small, UUID_FMT_LEN lacks
one byte for the trailing NUL.

Instead of adding + 1, as done elsewhere, the changes introduce a
UUID_STR_LEN define for the correct size and use it where required.

Thanks,

C. 

Changes in v2:
 - removal of UUID_FMT_LEN

Cédric Le Goater (3):
  util/uuid: Add UUID_STR_LEN definition
  vfio/pci: Fix buffer overrun when writing the VF token
  util/uuid: Remove UUID_FMT_LEN

 include/qemu/uuid.h              | 2 +-
 block/parallels-ext.c            | 2 +-
 block/vdi.c                      | 2 +-
 hw/core/qdev-properties-system.c | 2 +-
 hw/hyperv/vmbus.c                | 4 ++--
 hw/vfio/pci.c                    | 2 +-
 migration/savevm.c               | 4 ++--
 tests/unit/test-uuid.c           | 2 +-
 util/uuid.c                      | 2 +-
 9 files changed, 11 insertions(+), 11 deletions(-)

Denis V. Lunev Oct. 26, 2023, 8:41 a.m. UTC | #1

On 10/26/23 09:06, Cédric Le Goater wrote:
> Hello,
>
> This series fixes a buffer overrun in VFIO. The buffer used in
> vfio_realize() by qemu_uuid_unparse() is too small, UUID_FMT_LEN lacks
> one byte for the trailing NUL.
>
> Instead of adding + 1, as done elsewhere, the changes introduce a
> UUID_STR_LEN define for the correct size and use it where required.
>
> Thanks,
>
> C.
>
> Changes in v2:
>   - removal of UUID_FMT_LEN
>
> Cédric Le Goater (3):
>    util/uuid: Add UUID_STR_LEN definition
>    vfio/pci: Fix buffer overrun when writing the VF token
>    util/uuid: Remove UUID_FMT_LEN
>
>   include/qemu/uuid.h              | 2 +-
>   block/parallels-ext.c            | 2 +-
>   block/vdi.c                      | 2 +-
>   hw/core/qdev-properties-system.c | 2 +-
>   hw/hyperv/vmbus.c                | 4 ++--
>   hw/vfio/pci.c                    | 2 +-
>   migration/savevm.c               | 4 ++--
>   tests/unit/test-uuid.c           | 2 +-
>   util/uuid.c                      | 2 +-
>   9 files changed, 11 insertions(+), 11 deletions(-)
>
Reviwed-by: Denis V. Lunev <den@openvz.org>

Cédric Le Goater Oct. 26, 2023, 9:58 a.m. UTC | #2

On 10/26/23 10:41, Denis V. Lunev wrote:
> On 10/26/23 09:06, Cédric Le Goater wrote:
>> Hello,
>>
>> This series fixes a buffer overrun in VFIO. The buffer used in
>> vfio_realize() by qemu_uuid_unparse() is too small, UUID_FMT_LEN lacks
>> one byte for the trailing NUL.
>>
>> Instead of adding + 1, as done elsewhere, the changes introduce a
>> UUID_STR_LEN define for the correct size and use it where required.
>>
>> Thanks,
>>
>> C.
>>
>> Changes in v2:
>>   - removal of UUID_FMT_LEN
>>
>> Cédric Le Goater (3):
>>    util/uuid: Add UUID_STR_LEN definition
>>    vfio/pci: Fix buffer overrun when writing the VF token
>>    util/uuid: Remove UUID_FMT_LEN
>>
>>   include/qemu/uuid.h              | 2 +-
>>   block/parallels-ext.c            | 2 +-
>>   block/vdi.c                      | 2 +-
>>   hw/core/qdev-properties-system.c | 2 +-
>>   hw/hyperv/vmbus.c                | 4 ++--
>>   hw/vfio/pci.c                    | 2 +-
>>   migration/savevm.c               | 4 ++--
>>   tests/unit/test-uuid.c           | 2 +-
>>   util/uuid.c                      | 2 +-
>>   9 files changed, 11 insertions(+), 11 deletions(-)
>>
> Reviwed-by: Denis V. Lunev <den@openvz.org>

I changed that to "Reviewed-by".

Interesting to see that b4 was ok with this new tag.

Thanks,

C.

Konstantin Ryabitsev Oct. 26, 2023, 1:42 p.m. UTC | #3

October 26, 2023 at 5:58 AM, "Cédric Le Goater" <clg@redhat.com> wrote:
> >  Reviwed-by: Denis V. Lunev <den@openvz.org>
> > 
> 
> I changed that to "Reviewed-by".
> 
> Interesting to see that b4 was ok with this new tag.

When we see an email address in the trailer contents, we don't check it against a known-trailers list, because there are just too many things like "Co-developed-by", "Reviewed-and-acked-by", etc. We could add some kind of logic to break these apart and compare individual parts to a list of known person-trailers (e.g. ["co", "reviewed", "developed", "and", "by", ...]), but we currently don't, which is why typos like this one sneak through.

-K

Cédric Le Goater Oct. 26, 2023, 2 p.m. UTC | #4

On 10/26/23 09:06, Cédric Le Goater wrote:
> Hello,
> 
> This series fixes a buffer overrun in VFIO. The buffer used in
> vfio_realize() by qemu_uuid_unparse() is too small, UUID_FMT_LEN lacks
> one byte for the trailing NUL.
> 
> Instead of adding + 1, as done elsewhere, the changes introduce a
> UUID_STR_LEN define for the correct size and use it where required.

Cc: qemu-stable@nongnu.org # 8.1+

I propose to take this series in vfio-next if no one objects.

Thanks,

C.


> 
> Thanks,
> 
> C.
> 
> Changes in v2:
>   - removal of UUID_FMT_LEN
> 
> Cédric Le Goater (3):
>    util/uuid: Add UUID_STR_LEN definition
>    vfio/pci: Fix buffer overrun when writing the VF token
>    util/uuid: Remove UUID_FMT_LEN
> 
>   include/qemu/uuid.h              | 2 +-
>   block/parallels-ext.c            | 2 +-
>   block/vdi.c                      | 2 +-
>   hw/core/qdev-properties-system.c | 2 +-
>   hw/hyperv/vmbus.c                | 4 ++--
>   hw/vfio/pci.c                    | 2 +-
>   migration/savevm.c               | 4 ++--
>   tests/unit/test-uuid.c           | 2 +-
>   util/uuid.c                      | 2 +-
>   9 files changed, 11 insertions(+), 11 deletions(-)
>

Peter Maydell Oct. 26, 2023, 3:36 p.m. UTC | #5

On Thu, 26 Oct 2023 at 16:06, Konstantin Ryabitsev
<konstantin.ryabitsev@linux.dev> wrote:
>
> October 26, 2023 at 5:58 AM, "Cédric Le Goater" <clg@redhat.com> wrote:
> > >  Reviwed-by: Denis V. Lunev <den@openvz.org>
> > >
> >
> > I changed that to "Reviewed-by".
> >
> > Interesting to see that b4 was ok with this new tag.
>
> When we see an email address in the trailer contents, we don't check it against a known-trailers list, because there are just too many things like "Co-developed-by", "Reviewed-and-acked-by", etc. We could add some kind of logic to break these apart and compare individual parts to a list of known person-trailers (e.g. ["co", "reviewed", "developed", "and", "by", ...]), but we currently don't, which is why typos like this one sneak through.

From the QEMU development perspective, I would be mildly in favour
of having checkpatch at least warn about unusual trailers, because
I don't think the profusion of oddball stuff is actually helpful,
and nudging towards standardization and guarding against typos in
the tag string would be better (eg if you want to do both a review
and an ack, provide both tags, not an -and- tag that no tooling
that might be asking "did this get review?" will be looking for).
But I don't care enough to have actually looked at getting our
checkpatch to do this :-)

-- PMM

Philippe Mathieu-Daudé Oct. 27, 2023, 5:01 a.m. UTC | #6

On 26/10/23 16:00, Cédric Le Goater wrote:
> On 10/26/23 09:06, Cédric Le Goater wrote:
>> Hello,
>>
>> This series fixes a buffer overrun in VFIO. The buffer used in
>> vfio_realize() by qemu_uuid_unparse() is too small, UUID_FMT_LEN lacks
>> one byte for the trailing NUL.
>>
>> Instead of adding + 1, as done elsewhere, the changes introduce a
>> UUID_STR_LEN define for the correct size and use it where required.
> 
> Cc: qemu-stable@nongnu.org # 8.1+

Hopefully 8.2 shouldn't be affected ;)

> 
> I propose to take this series in vfio-next if no one objects.
> 
> Thanks,
> 
> C.

Cédric Le Goater Oct. 30, 2023, 8:59 a.m. UTC | #7

On 10/26/23 16:00, Cédric Le Goater wrote:
> On 10/26/23 09:06, Cédric Le Goater wrote:
>> Hello,
>>
>> This series fixes a buffer overrun in VFIO. The buffer used in
>> vfio_realize() by qemu_uuid_unparse() is too small, UUID_FMT_LEN lacks
>> one byte for the trailing NUL.
>>
>> Instead of adding + 1, as done elsewhere, the changes introduce a
>> UUID_STR_LEN define for the correct size and use it where required.
> 
> Cc: qemu-stable@nongnu.org # 8.1+
> 
> I propose to take this series in vfio-next if no one objects.


Applied to vfio-next.

Thanks,

C.

[v2,0/3] vfio/pci: Fix buffer overrun when writing the VF token

Message

Comments