From patchwork Wed Jul 11 22:12:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: jonasschievink@gmail.com X-Patchwork-Id: 10520649 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id F1E2C605DC for ; Wed, 11 Jul 2018 22:14:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DDF6629877 for ; Wed, 11 Jul 2018 22:14:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CFDEE298BD; Wed, 11 Jul 2018 22:14:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 6F54A29877 for ; Wed, 11 Jul 2018 22:14:04 +0000 (UTC) Received: from localhost ([::1]:55633 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fdNN5-00007i-7b for patchwork-qemu-devel@patchwork.kernel.org; Wed, 11 Jul 2018 18:14:03 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53888) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fdNMG-0008Cu-ID for qemu-devel@nongnu.org; Wed, 11 Jul 2018 18:13:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fdNMC-0006UR-IV for qemu-devel@nongnu.org; Wed, 11 Jul 2018 18:13:12 -0400 Received: from mail-ed1-x543.google.com ([2a00:1450:4864:20::543]:41282) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fdNMC-0006TR-BW for qemu-devel@nongnu.org; Wed, 11 Jul 2018 18:13:08 -0400 Received: by mail-ed1-x543.google.com with SMTP id s24-v6so4114711edr.8 for ; Wed, 11 Jul 2018 15:13:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=7XQp5cL1ZHV4MbqrobnyQrsYj51L22iGYKjPh3c8DqQ=; b=bm1OVEl1IfPF99co34gIBK+eczHMxw3oBa+8rj2dht4p+8eYn+jD7mc34rGzD9CM1K MurPaHgwdNrxl2ev3Y7RnLGY0nN6gin5Y41g2wGJKD53qArgnKTOEO2WV+GpuBhbSNWi oBVyEBqyK+uZeSFJV//EnxsNZrgNzTNI8qix/y7zVSA9epr0tLz4UpFAO6gn+iPjQ52W SE71y5Qv0v59OdO4bhNChZwtRY6r3GEmJ+I8AFP/mACrgut/Zd2GKzk5b/QFAz9TKSxZ 14EK0H3zgZmHyqPtilhB1d/LML0bie220XnMZza3UcYDLXpPXk+tnsP4pO/W6th2Owzf PAVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7XQp5cL1ZHV4MbqrobnyQrsYj51L22iGYKjPh3c8DqQ=; b=OB3YCQCXcMhzdXJxugacIm3Vv2EXn/SkcLXxzQgAldNUyFdmtHGnWm+qMV64e6ne7N 4cm/2s2s2a0Ud3KJq8+B2LSAKekMBC1Q7unv1KVEiQdiHG2Gt28o+tbwDzuWD2vF1Qye 5iPmi+O5o/YjOZtuWD9gDInJcDlfrc21oAQIOL5pk2YCTn+KicPFrjsjnfD7rSS3e79n oagrLe1NsGkfTqRjgBgiarjbQuoiQmy3LslUAe5al+lYTmYSKsG9YheNC8TxD9vSCH3o PFMrtzbpAZcHsecfRcGRFqrx/mUMrrZbusQ5QSyUz7lhi8QxRfQIpwxsBbNdcq9hxATd oaFw== X-Gm-Message-State: AOUpUlEt8M3P02JeopaPhyFl3xw0rb/sKMancMwtUkDVgaCQTyeNLvbC 5hkSlLpM+UcPppuCk9CBrMA= X-Google-Smtp-Source: AAOMgpdUjWpUvsjYr7I2ODf9gNkLm5L4pPJEzscC85oBUvma0q1CaJdAoBFM8wHMPdtxBugTAcI++g== X-Received: by 2002:aa7:d859:: with SMTP id f25-v6mr325661eds.157.1531347186999; Wed, 11 Jul 2018 15:13:06 -0700 (PDT) Received: from archbox.localdomain (dslb-092-076-157-094.092.076.pools.vodafone-ip.de. [92.76.157.94]) by smtp.gmail.com with ESMTPSA id d89-v6sm1650103edc.93.2018.07.11.15.13.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Jul 2018 15:13:06 -0700 (PDT) From: Jonas Schievink To: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 12 Jul 2018 00:12:44 +0200 Message-Id: <20180711221244.31869-1-jonasschievink@gmail.com> X-Mailer: git-send-email 2.18.0 In-Reply-To: <5271d71e-794c-2db0-9046-183fd79dd902@amsat.org> References: <5271d71e-794c-2db0-9046-183fd79dd902@amsat.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::543 Subject: [Qemu-devel] [PATCH v2] Zero out the host's `msg_control` buffer X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Riku Voipio , Laurent Vivier , Jonas Schievink , qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP If this is not done, qemu would drop any control message after the first one. This is because glibc's `CMSG_NXTHDR` macro accesses the uninitialized cmsghdr's length field in order to find out if the message fits into the `msg_control` buffer, wrongly assuming that it doesn't because the length field contains garbage. Accessing the length field is fine for completed messages we receive from the kernel, but is - as far as I know - not needed since the kernel won't return such an invalid cmsghdr in the first place. This is tracked as this glibc bug: https://sourceware.org/bugzilla/show_bug.cgi?id=13500 It's probably also a good idea to bail with an error if `CMSG_NXTHDR` returns NULL but `TARGET_CMSG_NXTHDR` doesn't (ie. we still expect cmsgs). Signed-off-by: Jonas Schievink Reviewed-by: Laurent Vivier --- Changes in v2: - put the memset right after the msg_control alloca - added missing Signed-off-by line linux-user/syscall.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index e4b1b7d7da..3c427500ef 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -3843,6 +3843,8 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp, } msg.msg_controllen = 2 * tswapal(msgp->msg_controllen); msg.msg_control = alloca(msg.msg_controllen); + memset(msg.msg_control, 0, msg.msg_controllen); + msg.msg_flags = tswap32(msgp->msg_flags); count = tswapal(msgp->msg_iovlen);