[05/12] device_tree: qmp_dumpdtb(): stronger assertion

Message ID	20230925194040.68592-6-vsementsov@yandex-team.ru (mailing list archive)
State	New, archived
Headers	show Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> To: qemu-devel@nongnu.org Cc: pbonzini@redhat.com, vsementsov@yandex-team.ru, Alistair Francis <alistair.francis@wdc.com>, David Gibson <david@gibson.dropbear.id.au> Subject: [PATCH 05/12] device_tree: qmp_dumpdtb(): stronger assertion Date: Mon, 25 Sep 2023 22:40:33 +0300 Message-Id: <20230925194040.68592-6-vsementsov@yandex-team.ru> In-Reply-To: <20230925194040.68592-1-vsementsov@yandex-team.ru> References: <20230925194040.68592-1-vsementsov@yandex-team.ru> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a02:6b8:c03:500:1:45:d181:df01; envelope-from=vsementsov@yandex-team.ru; helo=forwardcorp1c.mail.yandex.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Series	coverity fixes \| expand [00/12] coverity fixes [01/12] hw/core/loader: load_at(): check size [02/12] hw/i386/intel_iommu: vtd_slpte_nonzero_rsvd(): reduce magic numbers [03/12] util/filemonitor-inotify: qemu_file_monitor_watch(): avoid overflow [04/12] libvhost-user.c: add assertion to vu_message_read_default [05/12] device_tree: qmp_dumpdtb(): stronger assertion [06/12] mc146818rtc: rtc_set_time(): initialize tm to zeroes [07/12] pcie_sriov: unregister_vfs(): fix error path [08/12] block/nvme: nvme_process_completion() fix bound for cid [09/12] kvm-all: introduce limits for name_size and num_desc [10/12] hw/core/loader: gunzip(): initialize z_stream [11/12] hw/core/loader: read_targphys(): add upper bound [12/12] io/channel-socket: qio_channel_socket_flush(): improve msg validation

Vladimir Sementsov-Ogievskiy Sept. 25, 2023, 7:40 p.m. UTC

Coverity mark this size, got from the buffer as untrasted value, it's
not good to use it as length when writing to file. Make the assertion
more strict to also check upper bound.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
---
 softmmu/device_tree.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Alistair Francis Sept. 26, 2023, 1:26 a.m. UTC | #1

On Tue, Sep 26, 2023 at 6:42 AM Vladimir Sementsov-Ogievskiy
<vsementsov@yandex-team.ru> wrote:
>
> Coverity mark this size, got from the buffer as untrasted value, it's

s/untrasted/untrusted/g

> not good to use it as length when writing to file. Make the assertion
> more strict to also check upper bound.
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

Alistair

> ---
>  softmmu/device_tree.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/softmmu/device_tree.c b/softmmu/device_tree.c
> index 30aa3aea9f..adc4236e21 100644
> --- a/softmmu/device_tree.c
> +++ b/softmmu/device_tree.c
> @@ -660,7 +660,7 @@ void qmp_dumpdtb(const char *filename, Error **errp)
>
>      size = fdt_totalsize(current_machine->fdt);
>
> -    g_assert(size > 0);
> +    g_assert(size > 0 && size <= FDT_MAX_SIZE);
>
>      if (!g_file_set_contents(filename, current_machine->fdt, size, &err)) {
>          error_setg(errp, "Error saving FDT to file %s: %s",
> --
> 2.34.1
>
>

Vladimir Sementsov-Ogievskiy Sept. 26, 2023, 10:08 a.m. UTC | #2

On 26.09.23 04:26, Alistair Francis wrote:
> On Tue, Sep 26, 2023 at 6:42 AM Vladimir Sementsov-Ogievskiy
> <vsementsov@yandex-team.ru> wrote:
>>
>> Coverity mark this size, got from the buffer as untrasted value, it's
> 
> s/untrasted/untrusted/g

will fix.

> 
>> not good to use it as length when writing to file. Make the assertion
>> more strict to also check upper bound.
>>
>> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
> 
> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
> 

Thanks!

> 
>> ---
>>   softmmu/device_tree.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/softmmu/device_tree.c b/softmmu/device_tree.c
>> index 30aa3aea9f..adc4236e21 100644
>> --- a/softmmu/device_tree.c
>> +++ b/softmmu/device_tree.c
>> @@ -660,7 +660,7 @@ void qmp_dumpdtb(const char *filename, Error **errp)
>>
>>       size = fdt_totalsize(current_machine->fdt);
>>
>> -    g_assert(size > 0);
>> +    g_assert(size > 0 && size <= FDT_MAX_SIZE);
>>
>>       if (!g_file_set_contents(filename, current_machine->fdt, size, &err)) {
>>           error_setg(errp, "Error saving FDT to file %s: %s",
>> --
>> 2.34.1
>>
>>

Peter Maydell Sept. 26, 2023, 10:51 a.m. UTC | #3

On Mon, 25 Sept 2023 at 20:42, Vladimir Sementsov-Ogievskiy
<vsementsov@yandex-team.ru> wrote:
>
> Coverity mark this size, got from the buffer as untrasted value, it's
> not good to use it as length when writing to file. Make the assertion
> more strict to also check upper bound.
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
> ---
>  softmmu/device_tree.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/softmmu/device_tree.c b/softmmu/device_tree.c
> index 30aa3aea9f..adc4236e21 100644
> --- a/softmmu/device_tree.c
> +++ b/softmmu/device_tree.c
> @@ -660,7 +660,7 @@ void qmp_dumpdtb(const char *filename, Error **errp)
>
>      size = fdt_totalsize(current_machine->fdt);
>
> -    g_assert(size > 0);
> +    g_assert(size > 0 && size <= FDT_MAX_SIZE);

FDT_MAX_SIZE is not "this is as big as an FDT can ever be". It's
only the internal sizing of device trees that we create ourselves
in the machine models (and which we will bump up if for some
reason we ever find ourselves needing to create bigger device
trees). So it's not really a suitable upper bound.

>      if (!g_file_set_contents(filename, current_machine->fdt, size, &err)) {
>          error_setg(errp, "Error saving FDT to file %s: %s",

Nothing bad happens if we pass g_file_set_contents() a very
large size -- we'll just create a large file. The user already
has lots of ways to fill up their disk if they want to, and
we don't have any idea how much disk space they might or might
not have.

I would just mark this as a false positive.

thanks
-- PMM

Vladimir Sementsov-Ogievskiy Sept. 26, 2023, 2:20 p.m. UTC | #4

On 26.09.23 13:51, Peter Maydell wrote:
> On Mon, 25 Sept 2023 at 20:42, Vladimir Sementsov-Ogievskiy
> <vsementsov@yandex-team.ru> wrote:
>>
>> Coverity mark this size, got from the buffer as untrasted value, it's
>> not good to use it as length when writing to file. Make the assertion
>> more strict to also check upper bound.
>>
>> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
>> ---
>>   softmmu/device_tree.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/softmmu/device_tree.c b/softmmu/device_tree.c
>> index 30aa3aea9f..adc4236e21 100644
>> --- a/softmmu/device_tree.c
>> +++ b/softmmu/device_tree.c
>> @@ -660,7 +660,7 @@ void qmp_dumpdtb(const char *filename, Error **errp)
>>
>>       size = fdt_totalsize(current_machine->fdt);
>>
>> -    g_assert(size > 0);
>> +    g_assert(size > 0 && size <= FDT_MAX_SIZE);
> 
> FDT_MAX_SIZE is not "this is as big as an FDT can ever be". It's
> only the internal sizing of device trees that we create ourselves
> in the machine models (and which we will bump up if for some
> reason we ever find ourselves needing to create bigger device
> trees). So it's not really a suitable upper bound.
> 
>>       if (!g_file_set_contents(filename, current_machine->fdt, size, &err)) {
>>           error_setg(errp, "Error saving FDT to file %s: %s",
> 
> Nothing bad happens if we pass g_file_set_contents() a very

but it will also try to read beyond the allocated fdt. In my thought clear crash on assertion is better than such memory access.

> large size -- we'll just create a large file. The user already
> has lots of ways to fill up their disk if they want to, and
> we don't have any idea how much disk space they might or might
> not have.
> 
> I would just mark this as a false positive.
> 
> thanks
> -- PMM

Peter Maydell Sept. 26, 2023, 2:33 p.m. UTC | #5

On Tue, 26 Sept 2023 at 15:20, Vladimir Sementsov-Ogievskiy
<vsementsov@yandex-team.ru> wrote:
>
> On 26.09.23 13:51, Peter Maydell wrote:
> > On Mon, 25 Sept 2023 at 20:42, Vladimir Sementsov-Ogievskiy
> > <vsementsov@yandex-team.ru> wrote:
> >>
> >> Coverity mark this size, got from the buffer as untrasted value, it's
> >> not good to use it as length when writing to file. Make the assertion
> >> more strict to also check upper bound.
> >>
> >> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
> >> ---
> >>   softmmu/device_tree.c | 2 +-
> >>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/softmmu/device_tree.c b/softmmu/device_tree.c
> >> index 30aa3aea9f..adc4236e21 100644
> >> --- a/softmmu/device_tree.c
> >> +++ b/softmmu/device_tree.c
> >> @@ -660,7 +660,7 @@ void qmp_dumpdtb(const char *filename, Error **errp)
> >>
> >>       size = fdt_totalsize(current_machine->fdt);
> >>
> >> -    g_assert(size > 0);
> >> +    g_assert(size > 0 && size <= FDT_MAX_SIZE);
> >
> > FDT_MAX_SIZE is not "this is as big as an FDT can ever be". It's
> > only the internal sizing of device trees that we create ourselves
> > in the machine models (and which we will bump up if for some
> > reason we ever find ourselves needing to create bigger device
> > trees). So it's not really a suitable upper bound.
> >
> >>       if (!g_file_set_contents(filename, current_machine->fdt, size, &err)) {
> >>           error_setg(errp, "Error saving FDT to file %s: %s",
> >
> > Nothing bad happens if we pass g_file_set_contents() a very
>
> but it will also try to read beyond the allocated fdt.

No, it won't, because we can assume that current_machine->fdt points
to a valid device tree blob, and so size is by definition correct.

The libfdt code keeps track of the size of the memory we allocated
for it to use -- when we call fdt_open_into() we pass that size.
fdt_totalsize() simply returns that passed in size value. So
the amount of memory we can access is exactly "size".

(The fdt may not have come from create_device_tree(), so
it's possible both that the size as returned by fdt_totalsize()
can validly be larger than FDT_MAX_SIZE, and also that the fdt
blob can be smaller than FDT_MAX_SIZE. So that's the wrong thing
to try to check against either way.)

thanks
-- PMM

[05/12] device_tree: qmp_dumpdtb(): stronger assertion

Commit Message

Comments

Patch