From patchwork Tue Jul 2 15:03:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 168330 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp4369498ilk; Tue, 2 Jul 2019 08:18:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqwG8F1DK6E37ODebceDpiDFXls/mPbKhvIsiK1B+oSagPsrXRha9oWtZVTDVRtuOD1tY883 X-Received: by 2002:a50:86dc:: with SMTP id 28mr36271722edu.132.1562080694759; Tue, 02 Jul 2019 08:18:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562080694; cv=none; d=google.com; s=arc-20160816; b=yp5WnXd81Xto6xcRP2E6YuuFQeZkdPGthlgNR9FsEXYVMgX8SlwAcdTygPZRfVckFf l9ZmJlZVbsJmQvOrYlgw53ljIx6mWYK97ThJmLgzk7f2liDTHe2fmJ+ek0gOV5XkaR86 lzjx65rUpTTRZqzDOJz8TNqMLxabn93ClcbiZJgJe9fk3MnPuKp1Vknvl5Y8AavqPFbr 972yrQ7AtT6ttahSm7+vJNa8hbKAUogiRagVUqdugkkELX5RcW7NwEtCU/FnPbC7PAwC hK7GXTbZ+xnwxZYOPm/zO5CHPGCEQu+P7gXR6AuYrf3f3fx8q291a+scWFqAwhhmpV4y cJ8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject :content-transfer-encoding:mime-version:message-id:date:to:from :dkim-signature; bh=kusHwiyQL/5YSWHkAU/rDwZHvtia3ERhu2eiGiTkjjU=; b=XP1NUHTuU/zxMZxSFm832YG2512bAnPKWxUTbLC00Z/Sz+4jzbY12787gACwjHG2N2 E36hSZ89fU/vxVFJ0/o86KUGa+hON+6EOXgW1vayxpM/C7xt0ksE1CI1Dv4HAQZbIDnS efecRwpojmQCUZdwX2CjFBYoz2tcdBF8qcK0s1j09rkJ43lpI95IqQaQa+nCvKv4tfJG ZeuO0s7U0Lg6PzuXIEKPPc/p4ELS/S085IhiCmsBVyRSm6gIcS6suoALzz0j2ufHkL1J XTpfG3CLdqUjV+b5G71qCfHPPyritS8Hb3S5Xxn6hkqTBcwlyfbaZknCDxzRe2PzGsIV HH6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@linaro.org header.s=google header.b=FTzULf5n; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id s41si11610504edd.252.2019.07.02.08.18.14 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 02 Jul 2019 08:18:14 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=fail header.i=@linaro.org header.s=google header.b=FTzULf5n; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:54410 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hiKXt-0007Pw-Na for patch@linaro.org; Tue, 02 Jul 2019 11:18:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57573) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hiKJY-000325-Rs for qemu-devel@nongnu.org; Tue, 02 Jul 2019 11:03:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hiKJU-0005kr-Sg for qemu-devel@nongnu.org; Tue, 02 Jul 2019 11:03:22 -0400 Received: from mail-wr1-x443.google.com ([2a00:1450:4864:20::443]:33695) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hiKJS-0005gf-By for qemu-devel@nongnu.org; Tue, 02 Jul 2019 11:03:19 -0400 Received: by mail-wr1-x443.google.com with SMTP id n9so18273195wru.0 for ; Tue, 02 Jul 2019 08:03:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kusHwiyQL/5YSWHkAU/rDwZHvtia3ERhu2eiGiTkjjU=; b=FTzULf5nvc5g9ccdDLq91rDggM3uyJT5n9oy9uRsODVndJdHGhkwB4hqWEfHx0IPBG koH9a8UGdPP0pkXqa5gsyLSA3pdN4HdPV4RzuiDy8N9ptSzEv0KXt9GuCx6Kxtk4CHgk krFlFKTR9HJh/EKx9OFXOldDnJeETIyHUpJ1bkkPaqQK27dWPSWyy5Js1IHSUpnevkOy TKUlmZDU4e5mnSs05Kyg5DxS69z18kZCwpJZ0Q0rYpSCXB1v9492/ogEgaB2P0V2rxBn ghUvl46jNfBOZKOatRjwJcOoyNwFZdrIOjH045TndiA/GgdEOl7JQ79+kLaiRJWI7m0h Yubg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kusHwiyQL/5YSWHkAU/rDwZHvtia3ERhu2eiGiTkjjU=; b=l9+0I3r2/kdyc5xeF55fTBeTVriaR2ZxRx62HbUZuZtyJOeOezCbjoLChupMyS9JXS xScV2BfHDfHPNke38cZj3GTYgYPlOraZ2arm1Y8hn33RNIRCz1IqFOQnIOPMHpQcm8xd siVpPwukLvUAQbw9rsxX0XsnjcDhv9hQoHwHsd0bQMEJ5p89hHIwg0y9YH9AN3NcfQ8k aoWB7veaH0/KlvgEv7PKy6oJqWZpser0E/Eel+OIPjbMSxAyBKUyBYnCgTTrbxNk/tnG hLuwWMdkV2tGLM4qNNcRmDnDu/KZXT5kW5/zRESirSBHjSUzsPqwoXQE2ofXi+YePAM9 fx/g== X-Gm-Message-State: APjAAAWdiIwPA/M+FwG8M7JWGdeMJrSfjLCndDL7SoG4EktRIYrw1PkP JBebEbrn+FOkIdDF+VA04PmyvRKpJ3+lgg== X-Received: by 2002:adf:ea88:: with SMTP id s8mr23106687wrm.68.1562079794035; Tue, 02 Jul 2019 08:03:14 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [81.2.115.148]) by smtp.gmail.com with ESMTPSA id w7sm2830757wmc.46.2019.07.02.08.03.12 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 02 Jul 2019 08:03:13 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Date: Tue, 2 Jul 2019 16:03:11 +0100 Message-Id: <20190702150311.20467-1-peter.maydell@linaro.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::443 Subject: [Qemu-devel] [PATCH for-4.1] tests/migration-test: Fix read off end of aarch64_kernel array X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Paolo Bonzini , Thomas Huth , "Dr. David Alan Gilbert" , Juan Quintela Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" The test aarch64 kernel is in an array defined with unsigned char aarch64_kernel[] = { [...] } which means it could be any size; currently it's quite small. However we write it to a file using init_bootfile(), which writes exactly 512 bytes to the file. This will break if we ever end up with a kernel larger than that, and will read garbage off the end of the array in the current setup where the kernel is smaller. Make init_bootfile() take an argument giving the length of the data to write. This allows us to use it for all architectures (previously s390 had a special-purpose init_bootfile_s390x which hardcoded the file to write so it could write the correct length). We assert that the x86 bootfile really is exactly 512 bytes as it should be (and as we were previously just assuming it was). This was detected by the clang-7 asan: ==15607==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a796f51d20 at pc 0x55a796b89c2f bp 0x7ffc58e89160 sp 0x7ffc58e88908 READ of size 512 at 0x55a796f51d20 thread T0 #0 0x55a796b89c2e in fwrite (/home/petmay01/linaro/qemu-from-laptop/qemu/build/sanitizers/tests/migration-test+0xb0c2e) #1 0x55a796c46492 in init_bootfile /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:99:5 #2 0x55a796c46492 in test_migrate_start /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:593 #3 0x55a796c44101 in test_baddest /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:854:9 #4 0x7f906ffd3cc9 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72cc9) #5 0x7f906ffd3bfa (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72bfa) #6 0x7f906ffd3bfa (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72bfa) #7 0x7f906ffd3ea1 in g_test_run_suite (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72ea1) #8 0x7f906ffd3ec0 in g_test_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72ec0) #9 0x55a796c43707 in main /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:1187:11 #10 0x7f906e9abb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #11 0x55a796b6c2d9 in _start (/home/petmay01/linaro/qemu-from-laptop/qemu/build/sanitizers/tests/migration-test+0x932d9) Signed-off-by: Peter Maydell --- patchew's asan build doesn't spot this, so it's presumably using an older version of the sanitizers... tests/migration-test.c | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) -- 2.20.1 Reviewed-by: Laurent Vivier Reviewed-by: Philippe Mathieu-Daudé diff --git a/tests/migration-test.c b/tests/migration-test.c index 0cd014dbe51..b6434628e1c 100644 --- a/tests/migration-test.c +++ b/tests/migration-test.c @@ -91,23 +91,13 @@ static const char *tmpfs; */ #include "tests/migration/i386/a-b-bootblock.h" #include "tests/migration/aarch64/a-b-kernel.h" - -static void init_bootfile(const char *bootpath, void *content) -{ - FILE *bootfile = fopen(bootpath, "wb"); - - g_assert_cmpint(fwrite(content, 512, 1, bootfile), ==, 1); - fclose(bootfile); -} - #include "tests/migration/s390x/a-b-bios.h" -static void init_bootfile_s390x(const char *bootpath) +static void init_bootfile(const char *bootpath, void *content, size_t len) { FILE *bootfile = fopen(bootpath, "wb"); - size_t len = sizeof(s390x_elf); - g_assert_cmpint(fwrite(s390x_elf, len, 1, bootfile), ==, 1); + g_assert_cmpint(fwrite(content, len, 1, bootfile), ==, 1); fclose(bootfile); } @@ -537,7 +527,9 @@ static int test_migrate_start(QTestState **from, QTestState **to, got_stop = false; bootpath = g_strdup_printf("%s/bootsect", tmpfs); if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { - init_bootfile(bootpath, x86_bootsect); + /* the assembled x86 boot sector should be exactly one sector large */ + assert(sizeof(x86_bootsect) == 512); + init_bootfile(bootpath, x86_bootsect, sizeof(x86_bootsect)); extra_opts = use_shmem ? get_shmem_opts("150M", shmem_path) : NULL; cmd_src = g_strdup_printf("-machine accel=%s -m 150M" " -name source,debug-threads=on" @@ -555,7 +547,7 @@ static int test_migrate_start(QTestState **from, QTestState **to, start_address = X86_TEST_MEM_START; end_address = X86_TEST_MEM_END; } else if (g_str_equal(arch, "s390x")) { - init_bootfile_s390x(bootpath); + init_bootfile(bootpath, s390x_elf, sizeof(s390x_elf)); extra_opts = use_shmem ? get_shmem_opts("128M", shmem_path) : NULL; cmd_src = g_strdup_printf("-machine accel=%s -m 128M" " -name source,debug-threads=on" @@ -590,7 +582,7 @@ static int test_migrate_start(QTestState **from, QTestState **to, start_address = PPC_TEST_MEM_START; end_address = PPC_TEST_MEM_END; } else if (strcmp(arch, "aarch64") == 0) { - init_bootfile(bootpath, aarch64_kernel); + init_bootfile(bootpath, aarch64_kernel, sizeof(aarch64_kernel)); extra_opts = use_shmem ? get_shmem_opts("150M", shmem_path) : NULL; cmd_src = g_strdup_printf("-machine virt,accel=%s,gic-version=max " "-name vmsource,debug-threads=on -cpu max "