From patchwork Wed Sep 21 13:14:00 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kurz X-Patchwork-Id: 672873 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3sfKwh5WXSz9s9Y for ; Wed, 21 Sep 2016 23:19:48 +1000 (AEST) Received: from localhost ([::1]:42380 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bmhRC-0006l5-1S for incoming@patchwork.ozlabs.org; Wed, 21 Sep 2016 09:19:46 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34498) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bmhLs-0002Fn-71 for qemu-devel@nongnu.org; Wed, 21 Sep 2016 09:14:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bmhLl-0007VB-Em for qemu-devel@nongnu.org; Wed, 21 Sep 2016 09:14:15 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:48846 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bmhLl-0007V4-7j for qemu-devel@nongnu.org; Wed, 21 Sep 2016 09:14:09 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u8LDCZZE060586 for ; Wed, 21 Sep 2016 09:14:09 -0400 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0b-001b2d01.pphosted.com with ESMTP id 25khtdfgpq-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 21 Sep 2016 09:14:08 -0400 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 21 Sep 2016 07:14:07 -0600 Received: from d03dlp02.boulder.ibm.com (9.17.202.178) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 21 Sep 2016 07:14:04 -0600 Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 260383E40047; Wed, 21 Sep 2016 07:14:04 -0600 (MDT) Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u8LDE4OD15663400; Wed, 21 Sep 2016 06:14:04 -0700 Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E53B2BE038; Wed, 21 Sep 2016 07:14:03 -0600 (MDT) Received: from [192.168.66.108] (unknown [9.83.153.110]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP id D5EC9BE042; Wed, 21 Sep 2016 07:14:01 -0600 (MDT) From: Greg Kurz To: qemu-devel@nongnu.org Date: Wed, 21 Sep 2016 15:14:00 +0200 In-Reply-To: <147446363181.4880.18104448248886932114.stgit@bahia> References: <147446363181.4880.18104448248886932114.stgit@bahia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16092113-0028-0000-0000-000005A74CA9 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00005796; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000185; SDB=6.00759858; UDB=6.00361317; IPR=6.00534266; BA=6.00004743; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00012737; XFM=3.00000011; UTC=2016-09-21 13:14:06 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16092113-0029-0000-0000-00002F6C2520 Message-Id: <147446364067.4880.17009801693705082626.stgit@bahia> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-09-21_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609020000 definitions=main-1609210241 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PATCH 1/7] virtio-9p: handle handle_9p_output() error X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , "Michael S. Tsirkin" , Jason Wang , Greg Kurz , Max Reitz , "Aneesh Kumar K.V" , Stefan Hajnoczi , Cornelia Huck , Paolo Bonzini Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" A broken guest may send a request with only non-empty out buffers or only non-empty in buffers, virtqueue_pop() will then return a VirtQueueElement with out_num == 0 or in_num == 0 respectively. All 9P requests are expected to start with the following 7-byte header: uint32_t size_le; uint8_t id; uint16_t tag_le; If iov_to_buf() fails to return these 7 bytes, then something is wrong in the guest. In both cases, it is wrong to crash QEMU, since the root cause lies in the guest. Let's switch the device to the broken state instead. Signed-off-by: Greg Kurz --- hw/9pfs/virtio-9p-device.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/virtio-9p-device.c b/hw/9pfs/virtio-9p-device.c index 009b43f6d045..0f09bef13392 100644 --- a/hw/9pfs/virtio-9p-device.c +++ b/hw/9pfs/virtio-9p-device.c @@ -56,13 +56,23 @@ static void handle_9p_output(VirtIODevice *vdev, VirtQueue *vq) break; } - BUG_ON(elem->out_num == 0 || elem->in_num == 0); + if (elem->out_num == 0 || elem->in_num == 0) { + virtio_error(vdev, + "The guest sent a VirtFS request without headers"); + pdu_free(pdu); + return; + } QEMU_BUILD_BUG_ON(sizeof out != 7); v->elems[pdu->idx] = elem; len = iov_to_buf(elem->out_sg, elem->out_num, 0, &out, sizeof out); - BUG_ON(len != sizeof out); + if (len != sizeof out) { + virtio_error(vdev, "The guest sent a malformed VirtFS request: " + "header size is %zd, should be 7", len); + pdu_free(pdu); + return; + } pdu->size = le32_to_cpu(out.size_le);