[PULL,18/40] linux-user: Fix types in uaccess.c

Message ID	20210216161658.29881-19-peter.maydell@linaro.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=vIlY=HS=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E425464E07 From: Peter Maydell <peter.maydell@linaro.org> To: qemu-devel@nongnu.org Subject: [PULL 18/40] linux-user: Fix types in uaccess.c Date: Tue, 16 Feb 2021 16:16:36 +0000 Message-Id: <20210216161658.29881-19-peter.maydell@linaro.org> In-Reply-To: <20210216161658.29881-1-peter.maydell@linaro.org> References: <20210216161658.29881-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::32d; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x32d.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
Series	[PULL,01/40] tcg: Introduce target-specific page data for user-only \| expand [PULL,01/40] tcg: Introduce target-specific page data for user-only [PULL,02/40] linux-user: Introduce PAGE_ANON [PULL,03/40] exec: Use uintptr_t for guest_base [PULL,04/40] exec: Use uintptr_t in cpu_ldst.h [PULL,05/40] exec: Improve types for guest_addr_valid [PULL,06/40] linux-user: Check for overflow in access_ok [PULL,07/40] linux-user: Tidy VERIFY_READ/VERIFY_WRITE [PULL,08/40] bsd-user: Tidy VERIFY_READ/VERIFY_WRITE [PULL,09/40] linux-user: Do not use guest_addr_valid for h2g_valid [PULL,10/40] linux-user: Fix guest_addr_valid vs reserved_va [PULL,11/40] exec: Introduce cpu_untagged_addr [PULL,12/40] exec: Use cpu_untagged_addr in g2h; split out g2h_untagged [PULL,13/40] linux-user: Explicitly untag memory management syscalls [PULL,14/40] linux-user: Use guest_range_valid in access_ok [PULL,15/40] exec: Rename guest_{addr,range}_valid to _untagged [PULL,16/40] linux-user: Use cpu_untagged_addr in access_ok; split out _untagged [PULL,17/40] linux-user: Move lock_user et al out of line [PULL,18/40] linux-user: Fix types in uaccess.c [PULL,19/40] linux-user: Handle tags in lock_user/unlock_user [PULL,20/40] linux-user/aarch64: Implement PR_TAGGED_ADDR_ENABLE [PULL,21/40] target/arm: Improve gen_top_byte_ignore [PULL,22/40] target/arm: Use the proper TBI settings for linux-user [PULL,23/40] linux-user/aarch64: Implement PR_MTE_TCF and PR_MTE_TAG [PULL,24/40] linux-user/aarch64: Implement PROT_MTE [PULL,25/40] target/arm: Split out syndrome.h from internals.h [PULL,26/40] linux-user/aarch64: Pass syndrome to EXC_*_ABORT [PULL,27/40] linux-user/aarch64: Signal SEGV_MTESERR for sync tag check fault [PULL,28/40] linux-user/aarch64: Signal SEGV_MTEAERR for async tag check error [PULL,29/40] target/arm: Add allocation tag storage for user mode [PULL,30/40] target/arm: Enable MTE for user-only [PULL,31/40] tests/tcg/aarch64: Add mte smoke tests [PULL,32/40] hw/i2c: Implement NPCM7XX SMBus Module Single Mode [PULL,33/40] hw/arm: Add I2C sensors for NPCM750 eval board [PULL,34/40] hw/arm: Add I2C sensors and EEPROM for GSJ machine [PULL,35/40] hw/i2c: Add a QTest for NPCM7XX SMBus Device [PULL,36/40] hw/i2c: Implement NPCM7XX SMBus Module FIFO Mode [PULL,37/40] MAINTAINERS: add myself maintainer for the clock framework [PULL,38/40] hw/net: Add npcm7xx emc model [PULL,39/40] hw/arm: Add npcm7xx emc model [PULL,40/40] tests/qtests: Add npcm7xx emc model test

Message ID

20210216161658.29881-19-peter.maydell@linaro.org (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E425464E07
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [PULL 18/40] linux-user: Fix types in uaccess.c
Date: Tue, 16 Feb 2021 16:16:36 +0000
Message-Id: <20210216161658.29881-19-peter.maydell@linaro.org>
In-Reply-To: <20210216161658.29881-1-peter.maydell@linaro.org>
References: <20210216161658.29881-1-peter.maydell@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::32d;
 envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x32d.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Series

[PULL,01/40] tcg: Introduce target-specific page data for user-only | expand

Commit Message

Peter Maydell Feb. 16, 2021, 4:16 p.m. UTC

From: Richard Henderson <richard.henderson@linaro.org>

For copy_*_user, only 0 and -TARGET_EFAULT are returned; no need
to involve abi_long.  Use size_t for lengths.  Use bool for the
lock_user copy argument.  Use ssize_t for target_strlen, because
we can't overflow the host memory space.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210212184902.1251044-19-richard.henderson@linaro.org
[PMM: moved fix for ifdef error to previous commit]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/qemu.h    | 12 +++++-------
 linux-user/uaccess.c | 45 ++++++++++++++++++++++----------------------
 2 files changed, 28 insertions(+), 29 deletions(-)

Comments

Laurent Vivier Feb. 19, 2021, 9:21 a.m. UTC | #1

Hi Richard,

I think this commit is the cause of CID 1446711.

There is no concistancy between the various declarations of unlock_user():

bsd-user/qemu.h

static inline void unlock_user(void *host_ptr, abi_ulong guest_addr,
                               long len)

include/exec/softmmu-semi.h

static void softmmu_unlock_user(CPUArchState *env, void *p, target_ulong addr,
                                target_ulong len)
...
#define unlock_user(s, args, len) softmmu_unlock_user(env, s, args, len)

linux-user/qemu.h

#ifndef DEBUG_REMAP
static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len)
{ }
#else
void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
#endif

To take a signed long here allows to unconditionnaly call the unlock_user() function after the
syscall and not to copy the buffer if the value is negative.

Thanks,
Laurent

Le 16/02/2021 à 17:16, Peter Maydell a écrit :
> From: Richard Henderson <richard.henderson@linaro.org>
> 
> For copy_*_user, only 0 and -TARGET_EFAULT are returned; no need
> to involve abi_long.  Use size_t for lengths.  Use bool for the
> lock_user copy argument.  Use ssize_t for target_strlen, because
> we can't overflow the host memory space.
> 
> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> Message-id: 20210212184902.1251044-19-richard.henderson@linaro.org
> [PMM: moved fix for ifdef error to previous commit]
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>  linux-user/qemu.h    | 12 +++++-------
>  linux-user/uaccess.c | 45 ++++++++++++++++++++++----------------------
>  2 files changed, 28 insertions(+), 29 deletions(-)
> 
> diff --git a/linux-user/qemu.h b/linux-user/qemu.h
> index 971af97a2fb..d25a5dafc0f 100644
> --- a/linux-user/qemu.h
> +++ b/linux-user/qemu.h
> @@ -7,8 +7,6 @@
>  #include "exec/cpu_ldst.h"
>  
>  #undef DEBUG_REMAP
> -#ifdef DEBUG_REMAP
> -#endif /* DEBUG_REMAP */
>  
>  #include "exec/user/abitypes.h"
>  
> @@ -629,8 +627,8 @@ static inline bool access_ok(CPUState *cpu, int type,
>   * buffers between the target and host.  These internally perform
>   * locking/unlocking of the memory.
>   */
> -abi_long copy_from_user(void *hptr, abi_ulong gaddr, size_t len);
> -abi_long copy_to_user(abi_ulong gaddr, void *hptr, size_t len);
> +int copy_from_user(void *hptr, abi_ulong gaddr, size_t len);
> +int copy_to_user(abi_ulong gaddr, void *hptr, size_t len);
>  
>  /* Functions for accessing guest memory.  The tget and tput functions
>     read/write single values, byteswapping as necessary.  The lock_user function
> @@ -640,13 +638,13 @@ abi_long copy_to_user(abi_ulong gaddr, void *hptr, size_t len);
>  
>  /* Lock an area of guest memory into the host.  If copy is true then the
>     host area will have the same contents as the guest.  */
> -void *lock_user(int type, abi_ulong guest_addr, long len, int copy);
> +void *lock_user(int type, abi_ulong guest_addr, size_t len, bool copy);
>  
>  /* Unlock an area of guest memory.  The first LEN bytes must be
>     flushed back to guest memory. host_ptr = NULL is explicitly
>     allowed and does nothing. */
>  #ifndef DEBUG_REMAP
> -static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, long len)
> +static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len)
>  { }
>  #else
>  void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
> @@ -654,7 +652,7 @@ void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
>  
>  /* Return the length of a string in target memory or -TARGET_EFAULT if
>     access error. */
> -abi_long target_strlen(abi_ulong gaddr);
> +ssize_t target_strlen(abi_ulong gaddr);
>  
>  /* Like lock_user but for null terminated strings.  */
>  void *lock_user_string(abi_ulong guest_addr);
> diff --git a/linux-user/uaccess.c b/linux-user/uaccess.c
> index bba012ed159..76af6a92b11 100644
> --- a/linux-user/uaccess.c
> +++ b/linux-user/uaccess.c
> @@ -4,7 +4,7 @@
>  
>  #include "qemu.h"
>  
> -void *lock_user(int type, abi_ulong guest_addr, long len, int copy)
> +void *lock_user(int type, abi_ulong guest_addr, size_t len, bool copy)
>  {
>      if (!access_ok_untagged(type, guest_addr, len)) {
>          return NULL;
> @@ -26,7 +26,7 @@ void *lock_user(int type, abi_ulong guest_addr, long len, int copy)
>  }
>  
>  #ifdef DEBUG_REMAP
> -void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
> +void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len);
>  {
>      if (!host_ptr) {
>          return;
> @@ -34,7 +34,7 @@ void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
>      if (host_ptr == g2h_untagged(guest_addr)) {
>          return;
>      }
> -    if (len > 0) {
> +    if (len != 0) {
>          memcpy(g2h_untagged(guest_addr), host_ptr, len);
>      }
>      g_free(host_ptr);
> @@ -43,53 +43,53 @@ void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
>  
>  void *lock_user_string(abi_ulong guest_addr)
>  {
> -    abi_long len = target_strlen(guest_addr);
> +    ssize_t len = target_strlen(guest_addr);
>      if (len < 0) {
>          return NULL;
>      }
> -    return lock_user(VERIFY_READ, guest_addr, (long)(len + 1), 1);
> +    return lock_user(VERIFY_READ, guest_addr, (size_t)len + 1, 1);
>  }
>  
>  /* copy_from_user() and copy_to_user() are usually used to copy data
>   * buffers between the target and host.  These internally perform
>   * locking/unlocking of the memory.
>   */
> -abi_long copy_from_user(void *hptr, abi_ulong gaddr, size_t len)
> +int copy_from_user(void *hptr, abi_ulong gaddr, size_t len)
>  {
> -    abi_long ret = 0;
> -    void *ghptr;
> +    int ret = 0;
> +    void *ghptr = lock_user(VERIFY_READ, gaddr, len, 1);
>  
> -    if ((ghptr = lock_user(VERIFY_READ, gaddr, len, 1))) {
> +    if (ghptr) {
>          memcpy(hptr, ghptr, len);
>          unlock_user(ghptr, gaddr, 0);
> -    } else
> +    } else {
>          ret = -TARGET_EFAULT;
> -
> +    }
>      return ret;
>  }
>  
> -
> -abi_long copy_to_user(abi_ulong gaddr, void *hptr, size_t len)
> +int copy_to_user(abi_ulong gaddr, void *hptr, size_t len)
>  {
> -    abi_long ret = 0;
> -    void *ghptr;
> +    int ret = 0;
> +    void *ghptr = lock_user(VERIFY_WRITE, gaddr, len, 0);
>  
> -    if ((ghptr = lock_user(VERIFY_WRITE, gaddr, len, 0))) {
> +    if (ghptr) {
>          memcpy(ghptr, hptr, len);
>          unlock_user(ghptr, gaddr, len);
> -    } else
> +    } else {
>          ret = -TARGET_EFAULT;
> +    }
>  
>      return ret;
>  }
>  
>  /* Return the length of a string in target memory or -TARGET_EFAULT if
>     access error  */
> -abi_long target_strlen(abi_ulong guest_addr1)
> +ssize_t target_strlen(abi_ulong guest_addr1)
>  {
>      uint8_t *ptr;
>      abi_ulong guest_addr;
> -    int max_len, len;
> +    size_t max_len, len;
>  
>      guest_addr = guest_addr1;
>      for(;;) {
> @@ -101,11 +101,12 @@ abi_long target_strlen(abi_ulong guest_addr1)
>          unlock_user(ptr, guest_addr, 0);
>          guest_addr += len;
>          /* we don't allow wrapping or integer overflow */
> -        if (guest_addr == 0 || 
> -            (guest_addr - guest_addr1) > 0x7fffffff)
> +        if (guest_addr == 0 || (guest_addr - guest_addr1) > 0x7fffffff) {
>              return -TARGET_EFAULT;
> -        if (len != max_len)
> +        }
> +        if (len != max_len) {
>              break;
> +        }
>      }
>      return guest_addr - guest_addr1;
>  }
>

Peter Maydell March 10, 2021, 3:48 p.m. UTC | #2

On Fri, 19 Feb 2021 at 09:21, Laurent Vivier <laurent@vivier.eu> wrote:
>
> Hi Richard,
>
> I think this commit is the cause of CID 1446711.
>
> There is no concistancy between the various declarations of unlock_user():
>
> bsd-user/qemu.h
>
> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr,
>                                long len)
>
> include/exec/softmmu-semi.h
>
> static void softmmu_unlock_user(CPUArchState *env, void *p, target_ulong addr,
>                                 target_ulong len)
> ...
> #define unlock_user(s, args, len) softmmu_unlock_user(env, s, args, len)
>
> linux-user/qemu.h
>
> #ifndef DEBUG_REMAP
> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len)
> { }
> #else
> void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
> #endif
>
> To take a signed long here allows to unconditionnaly call the unlock_user() function after the
> syscall and not to copy the buffer if the value is negative.

Hi; what was the conclusion here about how best to fix the Coverity issue?

To save people looking it up, Coverity complains because in the
TARGET_NR_readlinkat case for linux-user we do:
            void *p2;
            p  = lock_user_string(arg2);
            p2 = lock_user(VERIFY_WRITE, arg3, arg4, 0);
            if (!p || !p2) {
                ret = -TARGET_EFAULT;
            } else if (is_proc_myself((const char *)p, "exe")) {
                char real[PATH_MAX], *temp;
                temp = realpath(exec_path, real);
                ret = temp == NULL ? get_errno(-1) : strlen(real) ;
                snprintf((char *)p2, arg4, "%s", real);
            } else {
                ret = get_errno(readlinkat(arg1, path(p), p2, arg4));
            }
            unlock_user(p2, arg3, ret);
            unlock_user(p, arg2, 0);

and in the "ret = -TARGET_EFAULT" and also the get_errno(readlinkat(...))
codepaths we can set ret to a negative number, which Coverity thinks
is suspicious given that unlock_user()'s new prototype says it
is an unsigned value. It's correct to be suspicious, because we really
did change from doing a >=0 to a !=0 check on the length.

Unless we really want to audit all the unlock_user() callsites,
going back to the previous semantics seems sensible.

thanks
-- PMM

Laurent Vivier March 10, 2021, 4:34 p.m. UTC | #3

Le 10/03/2021 à 16:48, Peter Maydell a écrit :
> On Fri, 19 Feb 2021 at 09:21, Laurent Vivier <laurent@vivier.eu> wrote:
>>
>> Hi Richard,
>>
>> I think this commit is the cause of CID 1446711.
>>
>> There is no concistancy between the various declarations of unlock_user():
>>
>> bsd-user/qemu.h
>>
>> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr,
>>                                long len)
>>
>> include/exec/softmmu-semi.h
>>
>> static void softmmu_unlock_user(CPUArchState *env, void *p, target_ulong addr,
>>                                 target_ulong len)
>> ...
>> #define unlock_user(s, args, len) softmmu_unlock_user(env, s, args, len)
>>
>> linux-user/qemu.h
>>
>> #ifndef DEBUG_REMAP
>> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len)
>> { }
>> #else
>> void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
>> #endif
>>
>> To take a signed long here allows to unconditionnaly call the unlock_user() function after the
>> syscall and not to copy the buffer if the value is negative.
> 
> Hi; what was the conclusion here about how best to fix the Coverity issue?

For what I know, there is no conclusion.

> To save people looking it up, Coverity complains because in the
> TARGET_NR_readlinkat case for linux-user we do:
>             void *p2;
>             p  = lock_user_string(arg2);
>             p2 = lock_user(VERIFY_WRITE, arg3, arg4, 0);
>             if (!p || !p2) {
>                 ret = -TARGET_EFAULT;
>             } else if (is_proc_myself((const char *)p, "exe")) {
>                 char real[PATH_MAX], *temp;
>                 temp = realpath(exec_path, real);
>                 ret = temp == NULL ? get_errno(-1) : strlen(real) ;
>                 snprintf((char *)p2, arg4, "%s", real);
>             } else {
>                 ret = get_errno(readlinkat(arg1, path(p), p2, arg4));
>             }
>             unlock_user(p2, arg3, ret);
>             unlock_user(p, arg2, 0);
> 
> and in the "ret = -TARGET_EFAULT" and also the get_errno(readlinkat(...))
> codepaths we can set ret to a negative number, which Coverity thinks
> is suspicious given that unlock_user()'s new prototype says it
> is an unsigned value. It's correct to be suspicious, because we really
> did change from doing a >=0 to a !=0 check on the length.
> 
> Unless we really want to audit all the unlock_user() callsites,
> going back to the previous semantics seems sensible.

I agree with that.

Thanks,
Laurent

Richard Henderson March 11, 2021, 1:25 p.m. UTC | #4

On 3/10/21 10:34 AM, Laurent Vivier wrote:
> Le 10/03/2021 à 16:48, Peter Maydell a écrit :
>> On Fri, 19 Feb 2021 at 09:21, Laurent Vivier <laurent@vivier.eu> wrote:
>>>
>>> Hi Richard,
>>>
>>> I think this commit is the cause of CID 1446711.
>>>
>>> There is no concistancy between the various declarations of unlock_user():
>>>
>>> bsd-user/qemu.h
>>>
>>> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr,
>>>                                 long len)
>>>
>>> include/exec/softmmu-semi.h
>>>
>>> static void softmmu_unlock_user(CPUArchState *env, void *p, target_ulong addr,
>>>                                  target_ulong len)
>>> ...
>>> #define unlock_user(s, args, len) softmmu_unlock_user(env, s, args, len)
>>>
>>> linux-user/qemu.h
>>>
>>> #ifndef DEBUG_REMAP
>>> static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len)
>>> { }
>>> #else
>>> void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
>>> #endif
>>>
>>> To take a signed long here allows to unconditionnaly call the unlock_user() function after the
>>> syscall and not to copy the buffer if the value is negative.
>>
>> Hi; what was the conclusion here about how best to fix the Coverity issue?
> 
> For what I know, there is no conclusion.
> 
>> To save people looking it up, Coverity complains because in the
>> TARGET_NR_readlinkat case for linux-user we do:
>>              void *p2;
>>              p  = lock_user_string(arg2);
>>              p2 = lock_user(VERIFY_WRITE, arg3, arg4, 0);
>>              if (!p || !p2) {
>>                  ret = -TARGET_EFAULT;
>>              } else if (is_proc_myself((const char *)p, "exe")) {
>>                  char real[PATH_MAX], *temp;
>>                  temp = realpath(exec_path, real);
>>                  ret = temp == NULL ? get_errno(-1) : strlen(real) ;
>>                  snprintf((char *)p2, arg4, "%s", real);
>>              } else {
>>                  ret = get_errno(readlinkat(arg1, path(p), p2, arg4));
>>              }
>>              unlock_user(p2, arg3, ret);
>>              unlock_user(p, arg2, 0);
>>
>> and in the "ret = -TARGET_EFAULT" and also the get_errno(readlinkat(...))
>> codepaths we can set ret to a negative number, which Coverity thinks
>> is suspicious given that unlock_user()'s new prototype says it
>> is an unsigned value. It's correct to be suspicious, because we really
>> did change from doing a >=0 to a !=0 check on the length.
>>
>> Unless we really want to audit all the unlock_user() callsites,
>> going back to the previous semantics seems sensible.
> 
> I agree with that.

This passing of an errno to unlock_user is... horrible.  I guess we have to 
revert to the signed type.


r~

diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 971af97a2fb..d25a5dafc0f 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -7,8 +7,6 @@ 
 #include "exec/cpu_ldst.h"
 
 #undef DEBUG_REMAP
-#ifdef DEBUG_REMAP
-#endif /* DEBUG_REMAP */
 
 #include "exec/user/abitypes.h"
 
@@ -629,8 +627,8 @@  static inline bool access_ok(CPUState *cpu, int type,
  * buffers between the target and host.  These internally perform
  * locking/unlocking of the memory.
  */
-abi_long copy_from_user(void *hptr, abi_ulong gaddr, size_t len);
-abi_long copy_to_user(abi_ulong gaddr, void *hptr, size_t len);
+int copy_from_user(void *hptr, abi_ulong gaddr, size_t len);
+int copy_to_user(abi_ulong gaddr, void *hptr, size_t len);
 
 /* Functions for accessing guest memory.  The tget and tput functions
    read/write single values, byteswapping as necessary.  The lock_user function
@@ -640,13 +638,13 @@  abi_long copy_to_user(abi_ulong gaddr, void *hptr, size_t len);
 
 /* Lock an area of guest memory into the host.  If copy is true then the
    host area will have the same contents as the guest.  */
-void *lock_user(int type, abi_ulong guest_addr, long len, int copy);
+void *lock_user(int type, abi_ulong guest_addr, size_t len, bool copy);
 
 /* Unlock an area of guest memory.  The first LEN bytes must be
    flushed back to guest memory. host_ptr = NULL is explicitly
    allowed and does nothing. */
 #ifndef DEBUG_REMAP
-static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, long len)
+static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len)
 { }
 #else
 void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
@@ -654,7 +652,7 @@  void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
 
 /* Return the length of a string in target memory or -TARGET_EFAULT if
    access error. */
-abi_long target_strlen(abi_ulong gaddr);
+ssize_t target_strlen(abi_ulong gaddr);
 
 /* Like lock_user but for null terminated strings.  */
 void *lock_user_string(abi_ulong guest_addr);
diff --git a/linux-user/uaccess.c b/linux-user/uaccess.c
index bba012ed159..76af6a92b11 100644
--- a/linux-user/uaccess.c
+++ b/linux-user/uaccess.c
@@ -4,7 +4,7 @@ 
 
 #include "qemu.h"
 
-void *lock_user(int type, abi_ulong guest_addr, long len, int copy)
+void *lock_user(int type, abi_ulong guest_addr, size_t len, bool copy)
 {
     if (!access_ok_untagged(type, guest_addr, len)) {
         return NULL;
@@ -26,7 +26,7 @@  void *lock_user(int type, abi_ulong guest_addr, long len, int copy)
 }
 
 #ifdef DEBUG_REMAP
-void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
+void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len);
 {
     if (!host_ptr) {
         return;
@@ -34,7 +34,7 @@  void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
     if (host_ptr == g2h_untagged(guest_addr)) {
         return;
     }
-    if (len > 0) {
+    if (len != 0) {
         memcpy(g2h_untagged(guest_addr), host_ptr, len);
     }
     g_free(host_ptr);
@@ -43,53 +43,53 @@  void unlock_user(void *host_ptr, abi_ulong guest_addr, long len);
 
 void *lock_user_string(abi_ulong guest_addr)
 {
-    abi_long len = target_strlen(guest_addr);
+    ssize_t len = target_strlen(guest_addr);
     if (len < 0) {
         return NULL;
     }
-    return lock_user(VERIFY_READ, guest_addr, (long)(len + 1), 1);
+    return lock_user(VERIFY_READ, guest_addr, (size_t)len + 1, 1);
 }
 
 /* copy_from_user() and copy_to_user() are usually used to copy data
  * buffers between the target and host.  These internally perform
  * locking/unlocking of the memory.
  */
-abi_long copy_from_user(void *hptr, abi_ulong gaddr, size_t len)
+int copy_from_user(void *hptr, abi_ulong gaddr, size_t len)
 {
-    abi_long ret = 0;
-    void *ghptr;
+    int ret = 0;
+    void *ghptr = lock_user(VERIFY_READ, gaddr, len, 1);
 
-    if ((ghptr = lock_user(VERIFY_READ, gaddr, len, 1))) {
+    if (ghptr) {
         memcpy(hptr, ghptr, len);
         unlock_user(ghptr, gaddr, 0);
-    } else
+    } else {
         ret = -TARGET_EFAULT;
-
+    }
     return ret;
 }
 
-
-abi_long copy_to_user(abi_ulong gaddr, void *hptr, size_t len)
+int copy_to_user(abi_ulong gaddr, void *hptr, size_t len)
 {
-    abi_long ret = 0;
-    void *ghptr;
+    int ret = 0;
+    void *ghptr = lock_user(VERIFY_WRITE, gaddr, len, 0);
 
-    if ((ghptr = lock_user(VERIFY_WRITE, gaddr, len, 0))) {
+    if (ghptr) {
         memcpy(ghptr, hptr, len);
         unlock_user(ghptr, gaddr, len);
-    } else
+    } else {
         ret = -TARGET_EFAULT;
+    }
 
     return ret;
 }
 
 /* Return the length of a string in target memory or -TARGET_EFAULT if
    access error  */
-abi_long target_strlen(abi_ulong guest_addr1)
+ssize_t target_strlen(abi_ulong guest_addr1)
 {
     uint8_t *ptr;
     abi_ulong guest_addr;
-    int max_len, len;
+    size_t max_len, len;
 
     guest_addr = guest_addr1;
     for(;;) {
@@ -101,11 +101,12 @@  abi_long target_strlen(abi_ulong guest_addr1)
         unlock_user(ptr, guest_addr, 0);
         guest_addr += len;
         /* we don't allow wrapping or integer overflow */
-        if (guest_addr == 0 || 
-            (guest_addr - guest_addr1) > 0x7fffffff)
+        if (guest_addr == 0 || (guest_addr - guest_addr1) > 0x7fffffff) {
             return -TARGET_EFAULT;
-        if (len != max_len)
+        }
+        if (len != max_len) {
             break;
+        }
     }
     return guest_addr - guest_addr1;
 }

[PULL,18/40] linux-user: Fix types in uaccess.c

Commit Message

Comments

Patch