From patchwork Sun Jul 15 19:52:42 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 944087 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=2001:4830:134:3::11; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=vivier.eu Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41THL11fwrz9rxs for ; Mon, 16 Jul 2018 05:54:01 +1000 (AEST) Received: from localhost ([::1]:47347 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fen5i-0003BZ-TM for incoming@patchwork.ozlabs.org; Sun, 15 Jul 2018 15:53:58 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54028) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fen51-00036i-Ra for qemu-devel@nongnu.org; Sun, 15 Jul 2018 15:53:17 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fen4x-00065L-JO for qemu-devel@nongnu.org; Sun, 15 Jul 2018 15:53:15 -0400 Received: from mout.kundenserver.de ([217.72.192.73]:36661) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fen4x-00064A-9P for qemu-devel@nongnu.org; Sun, 15 Jul 2018 15:53:11 -0400 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue104 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MINbz-1fcrvm1FOB-0049SA; Sun, 15 Jul 2018 21:53:01 +0200 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Sun, 15 Jul 2018 21:52:42 +0200 Message-Id: <20180715195242.6645-5-laurent@vivier.eu> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180715195242.6645-1-laurent@vivier.eu> References: <20180715195242.6645-1-laurent@vivier.eu> X-Provags-ID: V03:K1:mRtQ4FSKbGuzETnSFwJMabO6mO46G2Oe78+V1BjR8iD0uC/TEoJ nbVviH8yMvjXUA7u6UzO9+627Q73a3u4eQIaCDI4+Gn3UZYWLsIwNX0IdqOIKQ2ZFYukk4q SRYl3BaMM0VbJcmfJ3RZU8UQlzanljL/Ef9LST84tAxjpj1vRUvskGjG1Quyb09mHofrZvZ i+Cu06l/nwjLDDx8r4j8g== X-UI-Out-Filterresults: notjunk:1; V01:K0:olN/kE4Z0C0=:brtERRWp8WpGG9helwoutV B2YdKFehIu+6pzYQJoWE6y6923/o6m7aY0VxCs/qkZmIUSwDzzedlEeRUbCx85n3766/WBkCH v/UEFLabuVxYuRA9e1ryWY4nqj92Wliutiwrtp64zbDqaxkC0t9DPu+GiH+H/Bi2JqnPDEzH3 vTGc1Y0b/iit48PD+eYUSR392jhmHQWXJ60NbHBGUH7nWccJcSjnF+YnRctDZ266HGIlnCsQX 8SVKavUq0aoXXTB/u5h6QR2s+IG9pQB0dtztn7ea1z4f20+2LDSqyE7sSTKKTsCVXHA2w3rlS MBRm0SFykMgFJIJo5CBkp+fUNna77KNjrS2X4qNLF7BIr7NEeQRbMcq81kyy2K+g4HCc1PmKl QGLhCK1PbNH9mTJMXbgBd5yS7nakxA0neJiTXLtnkrto6RAgSF5DymsyTKFlrxW6bARFRoSkS aAHOfR/opQ22jgP0ac+rfSPzL+4/QwDE/AyDYKsXhVlVRG4/HIb/i4yap1dWOd97fSt2r1M02 XHnCY8wiCdjKfyrPBDvS3C4oiXB4sXPmdXIRk6boWD8unkXlwSQiJ6X4qsNWz0Vz5C33E2qc0 rN/kzL9uRBj9aYKhyN+d7z5Iq7f8s4TQjOLkYtThA3j2xQUA6FbWX+y/QvUfi9dISfd59M8Bq bigZAsYGbMC23IEhaYTy3Hykwifr/HlsxIdPWbTgWKbRHv77Ru0A9OqdSuE2FAt6LEdM= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.72.192.73 Subject: [Qemu-devel] [PULL 4/4] Zero out the host's `msg_control` buffer X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Riku Voipio , Laurent Vivier , Jonas Schievink Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Jonas Schievink If this is not done, qemu would drop any control message after the first one. This is because glibc's `CMSG_NXTHDR` macro accesses the uninitialized cmsghdr's length field in order to find out if the message fits into the `msg_control` buffer, wrongly assuming that it doesn't because the length field contains garbage. Accessing the length field is fine for completed messages we receive from the kernel, but is - as far as I know - not needed since the kernel won't return such an invalid cmsghdr in the first place. This is tracked as this glibc bug: https://sourceware.org/bugzilla/show_bug.cgi?id=13500 It's probably also a good idea to bail with an error if `CMSG_NXTHDR` returns NULL but `TARGET_CMSG_NXTHDR` doesn't (ie. we still expect cmsgs). Signed-off-by: Jonas Schievink Reviewed-by: Laurent Vivier Message-Id: <20180711221244.31869-1-jonasschievink@gmail.com> Signed-off-by: Laurent Vivier --- linux-user/syscall.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index aa4f3eb1c8..3df3bdffb2 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -3843,6 +3843,8 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp, } msg.msg_controllen = 2 * tswapal(msgp->msg_controllen); msg.msg_control = alloca(msg.msg_controllen); + memset(msg.msg_control, 0, msg.msg_controllen); + msg.msg_flags = tswap32(msgp->msg_flags); count = tswapal(msgp->msg_iovlen);