[02/10] hw/ppc/ppc405_boards: Don't use load_image()

Message ID	20181130151712.2312-3-peter.maydell@linaro.org
State	Superseded
Headers	show Delivered-To: patches@linaro.org Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; From: Peter Maydell <peter.maydell@linaro.org> To: qemu-devel@nongnu.org Cc: patches@linaro.org, Stefan Hajnoczi <stefanha@redhat.com>, Eric Blake <eblake@redhat.com>, "Daniel P . Berrange" <berrange@redhat.com>, Li Zhijian <lizhijian@cn.fujitsu.com>, Philip Li <philip.li@intel.com>, Peter Crosthwaite <crosthwaite.peter@gmail.com>, Alexander Graf <agraf@suse.de>, Kevin Wolf <kwolf@redhat.com>, Max Reitz <mreitz@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, David Gibson <david@gibson.dropbear.id.au>, Igor Mammedov <imammedo@redhat.com>, qemu-block@nongnu.org, qemu-ppc@nongnu.org Subject: [PATCH 02/10] hw/ppc/ppc405_boards: Don't use load_image() Date: Fri, 30 Nov 2018 15:17:04 +0000 Message-Id: <20181130151712.2312-3-peter.maydell@linaro.org> In-Reply-To: <20181130151712.2312-1-peter.maydell@linaro.org> References: <20181130151712.2312-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Remove deprecated load_image() function \| expand [00/10] Remove deprecated load_image() function [01/10] hw/ppc/mac_newworld, mac_oldworld: Don't use load_image() [02/10] hw/ppc/ppc405_boards: Don't use load_image() [03/10] hw/smbios/smbios.c: Don't use load_image() [04/10] hw/pci/pci.c: Don't use load_image() [05/10] hw/i386/pc.c: Don't use load_image() [06/10] hw/i386/multiboot.c: Don't use load_image() [07/10] hw/block/tc58128.c: Don't use load_image() [08/10] device_tree.c: Don't use load_image() [09/10] hw/core/loader.c: Remove load_image() [10/10] include/hw/loader.h: Document load_image_size()

Message ID

20181130151712.2312-3-peter.maydell@linaro.org

State

Superseded

Headers

Received-SPF: pass (google.com: best guess record for domain of
	pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted
	sender) client-ip=2001:8b0:1d0::2; 
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Cc: patches@linaro.org, Stefan Hajnoczi <stefanha@redhat.com>,
	Eric Blake <eblake@redhat.com>,
	"Daniel P . Berrange" <berrange@redhat.com>,
	Li Zhijian <lizhijian@cn.fujitsu.com>, Philip Li <philip.li@intel.com>,
	Peter Crosthwaite <crosthwaite.peter@gmail.com>,
	Alexander Graf <agraf@suse.de>, Kevin Wolf <kwolf@redhat.com>,
	Max Reitz <mreitz@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>,
	Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
	David Gibson <david@gibson.dropbear.id.au>,
	Igor Mammedov <imammedo@redhat.com>, qemu-block@nongnu.org,
	qemu-ppc@nongnu.org
Subject: [PATCH 02/10] hw/ppc/ppc405_boards: Don't use load_image()
Date: Fri, 30 Nov 2018 15:17:04 +0000
Message-Id: <20181130151712.2312-3-peter.maydell@linaro.org>
In-Reply-To: <20181130151712.2312-1-peter.maydell@linaro.org>
References: <20181130151712.2312-1-peter.maydell@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Remove deprecated load_image() function | expand

Commit Message

Peter Maydell Nov. 30, 2018, 3:17 p.m. UTC

The load_image() function is deprecated, as it does not let the
caller specify how large the buffer to read the file into is.
Instead use load_image_size().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---
 hw/ppc/ppc405_boards.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

-- 
2.19.1

Comments

Eric Blake Nov. 30, 2018, 8:20 p.m. UTC | #1

On 11/30/18 9:17 AM, Peter Maydell wrote:
> The load_image() function is deprecated, as it does not let the

> caller specify how large the buffer to read the file into is.

> Instead use load_image_size().

> 

> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

> ---

>   hw/ppc/ppc405_boards.c | 12 ++++++++----

>   1 file changed, 8 insertions(+), 4 deletions(-)

> 

> diff --git a/hw/ppc/ppc405_boards.c b/hw/ppc/ppc405_boards.c

> index 3be3fe4432b..1b0a0a8ba3a 100644

> --- a/hw/ppc/ppc405_boards.c

> +++ b/hw/ppc/ppc405_boards.c

> @@ -219,9 +219,11 @@ static void ref405ep_init(MachineState *machine)

>               bios_name = BIOS_FILENAME;

>           filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);

>           if (filename) {

> -            bios_size = load_image(filename, memory_region_get_ram_ptr(bios));

> +            bios_size = load_image_size(filename,

> +                                        memory_region_get_ram_ptr(bios),

> +                                        BIOS_SIZE);

>               g_free(filename);

> -            if (bios_size < 0 || bios_size > BIOS_SIZE) {


That old code is so wrong - "if we already overflowed the destination, 
possibly allowing for RCE in the meantime which might not even return to 
executing this code, THEN check and report the overflow".

> +            if (bios_size < 0) {

>                   error_report("Could not load PowerPC BIOS '%s'", bios_name);

>                   exit(1);

>               }


MUCH safer, even if silent truncation happens.
Reviewed-by: Eric Blake <eblake@redhat.com>


-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

David Gibson Dec. 2, 2018, 8:55 a.m. UTC | #2

On Fri, Nov 30, 2018 at 03:17:04PM +0000, Peter Maydell wrote:
> The load_image() function is deprecated, as it does not let the

> caller specify how large the buffer to read the file into is.

> Instead use load_image_size().

> 

> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Acked-by: David Gibson <david@gibson.dropbear.id.au>


> ---

>  hw/ppc/ppc405_boards.c | 12 ++++++++----

>  1 file changed, 8 insertions(+), 4 deletions(-)

> 

> diff --git a/hw/ppc/ppc405_boards.c b/hw/ppc/ppc405_boards.c

> index 3be3fe4432b..1b0a0a8ba3a 100644

> --- a/hw/ppc/ppc405_boards.c

> +++ b/hw/ppc/ppc405_boards.c

> @@ -219,9 +219,11 @@ static void ref405ep_init(MachineState *machine)

>              bios_name = BIOS_FILENAME;

>          filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);

>          if (filename) {

> -            bios_size = load_image(filename, memory_region_get_ram_ptr(bios));

> +            bios_size = load_image_size(filename,

> +                                        memory_region_get_ram_ptr(bios),

> +                                        BIOS_SIZE);

>              g_free(filename);

> -            if (bios_size < 0 || bios_size > BIOS_SIZE) {

> +            if (bios_size < 0) {

>                  error_report("Could not load PowerPC BIOS '%s'", bios_name);

>                  exit(1);

>              }

> @@ -515,9 +517,11 @@ static void taihu_405ep_init(MachineState *machine)

>                                 &error_fatal);

>          filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);

>          if (filename) {

> -            bios_size = load_image(filename, memory_region_get_ram_ptr(bios));

> +            bios_size = load_image_size(filename,

> +                                        memory_region_get_ram_ptr(bios),

> +                                        BIOS_SIZE);

>              g_free(filename);

> -            if (bios_size < 0 || bios_size > BIOS_SIZE) {

> +            if (bios_size < 0) {

>                  error_report("Could not load PowerPC BIOS '%s'", bios_name);

>                  exit(1);

>              }


-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

diff --git a/hw/ppc/ppc405_boards.c b/hw/ppc/ppc405_boards.c
index 3be3fe4432b..1b0a0a8ba3a 100644
--- a/hw/ppc/ppc405_boards.c
+++ b/hw/ppc/ppc405_boards.c
@@ -219,9 +219,11 @@  static void ref405ep_init(MachineState *machine)
             bios_name = BIOS_FILENAME;
         filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
         if (filename) {
-            bios_size = load_image(filename, memory_region_get_ram_ptr(bios));
+            bios_size = load_image_size(filename,
+                                        memory_region_get_ram_ptr(bios),
+                                        BIOS_SIZE);
             g_free(filename);
-            if (bios_size < 0 || bios_size > BIOS_SIZE) {
+            if (bios_size < 0) {
                 error_report("Could not load PowerPC BIOS '%s'", bios_name);
                 exit(1);
             }
@@ -515,9 +517,11 @@  static void taihu_405ep_init(MachineState *machine)
                                &error_fatal);
         filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
         if (filename) {
-            bios_size = load_image(filename, memory_region_get_ram_ptr(bios));
+            bios_size = load_image_size(filename,
+                                        memory_region_get_ram_ptr(bios),
+                                        BIOS_SIZE);
             g_free(filename);
-            if (bios_size < 0 || bios_size > BIOS_SIZE) {
+            if (bios_size < 0) {
                 error_report("Could not load PowerPC BIOS '%s'", bios_name);
                 exit(1);
             }

[02/10] hw/ppc/ppc405_boards: Don't use load_image()

Commit Message

Comments

Patch