From 36a343cbba2752fab2995fd0d9848c192f0c9579 Mon Sep 17 00:00:00 2001 From: Christophe de Dinechin Date: Fri, 28 Feb 2020 16:00:59 +0100 Subject: [PATCH 1/4] scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Compile error reported by gcc 10.0.1: scsi/qemu-pr-helper.c: In function ‘multipath_pr_out’: scsi/qemu-pr-helper.c:523:32: error: array subscript is outside array bounds of ‘struct transportid *[0]’ [-Werror=array-bounds] 523 | paramp.trnptid_list[paramp.num_transportid++] = id; | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from scsi/qemu-pr-helper.c:36: /usr/include/mpath_persist.h:168:22: note: while referencing ‘trnptid_list’ 168 | struct transportid *trnptid_list[]; | ^~~~~~~~~~~~ scsi/qemu-pr-helper.c:424:35: note: defined here ‘paramp’ 424 | struct prout_param_descriptor paramp; | ^~~~~~ This highlights an actual implementation issue in function multipath_pr_out. The variable paramp is declared with type `struct prout_param_descriptor`, which is a struct terminated by an empty array in mpath_persist.h: struct transportid *trnptid_list[]; That empty array was filled with code that looked like that: trnptid_list[paramp.descr.num_transportid++] = id; This is an actual out-of-bounds access. The fix is to malloc `paramp`. Signed-off-by: Christophe de Dinechin Signed-off-by: Paolo Bonzini --- scsi/qemu-pr-helper.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c index a256ce490b1..aa135df1f9a 100644 --- a/scsi/qemu-pr-helper.c +++ b/scsi/qemu-pr-helper.c @@ -421,10 +421,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, int rq_servact = cdb[1]; int rq_scope = cdb[2] >> 4; int rq_type = cdb[2] & 0xf; - struct prout_param_descriptor paramp; + g_autofree struct prout_param_descriptor *paramp = NULL; char transportids[PR_HELPER_DATA_SIZE]; int r; + paramp = g_malloc0(sizeof(struct prout_param_descriptor) + + sizeof(struct transportid *) * MPATH_MX_TIDS); + if (sz < PR_OUT_FIXED_PARAM_SIZE) { /* Illegal request, Parameter list length error. This isn't fatal; * we have read the data, send an error without closing the socket. @@ -454,10 +457,9 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, * used by libmpathpersist (which, of course, will immediately * do the opposite). */ - memset(¶mp, 0, sizeof(paramp)); - memcpy(¶mp.key, ¶m[0], 8); - memcpy(¶mp.sa_key, ¶m[8], 8); - paramp.sa_flags = param[20]; + memcpy(¶mp->key, ¶m[0], 8); + memcpy(¶mp->sa_key, ¶m[8], 8); + paramp->sa_flags = param[20]; if (sz > PR_OUT_FIXED_PARAM_SIZE) { size_t transportid_len; int i, j; @@ -520,12 +522,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, return CHECK_CONDITION; } - paramp.trnptid_list[paramp.num_transportid++] = id; + assert(paramp->num_transportid < MPATH_MX_TIDS); + paramp->trnptid_list[paramp->num_transportid++] = id; } } r = mpath_persistent_reserve_out(fd, rq_servact, rq_scope, rq_type, - ¶mp, noisy, verbose); + paramp, noisy, verbose); return mpath_reconstruct_sense(fd, r, sense); } #endif -- Gitee From a90cb5bc6accc02d155d74f08e630a26f252f435 Mon Sep 17 00:00:00 2001 From: Yonggang Luo Date: Tue, 13 Oct 2020 07:43:46 +0800 Subject: [PATCH 2/4] curses: Fixes curses compiling errors. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is the compiling error: ../ui/curses.c: In function 'curses_refresh': ../ui/curses.c:256:5: error: 'next_maybe_keycode' may be used uninitialized in this function [-Werror=maybe-uninitialized] 256 | curses2foo(_curses2keycode, _curseskey2keycode, chr, maybe_keycode) | ^~~~~~~~~~ ../ui/curses.c:302:32: note: 'next_maybe_keycode' was declared here 302 | enum maybe_keycode next_maybe_keycode; | ^~~~~~~~~~~~~~~~~~ ../ui/curses.c:256:5: error: 'maybe_keycode' may be used uninitialized in this function [-Werror=maybe-uninitialized] 256 | curses2foo(_curses2keycode, _curseskey2keycode, chr, maybe_keycode) | ^~~~~~~~~~ ../ui/curses.c:265:24: note: 'maybe_keycode' was declared here 265 | enum maybe_keycode maybe_keycode; | ^~~~~~~~~~~~~ cc1.exe: all warnings being treated as errors gcc version 10.2.0 (Rev1, Built by MSYS2 project) Signed-off-by: Yonggang Luo Reviewed-by: Gerd Hoffmann Reviewed-by: Daniel P. Berrangé Message-id: 20201012234348.1427-4-luoyonggang@gmail.com Signed-off-by: Gerd Hoffmann --- ui/curses.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ui/curses.c b/ui/curses.c index a6e260eb964..18fcfe82d8e 100644 --- a/ui/curses.c +++ b/ui/curses.c @@ -259,7 +259,7 @@ static int curses2foo(const int _curses2foo[], const int _curseskey2foo[], static void curses_refresh(DisplayChangeListener *dcl) { int chr, keysym, keycode, keycode_alt; - enum maybe_keycode maybe_keycode; + enum maybe_keycode maybe_keycode = CURSES_KEYCODE; curses_winch_check(); @@ -296,7 +296,7 @@ static void curses_refresh(DisplayChangeListener *dcl) /* alt or esc key */ if (keycode == 1) { - enum maybe_keycode next_maybe_keycode; + enum maybe_keycode next_maybe_keycode = CURSES_KEYCODE; int nextchr = console_getch(&next_maybe_keycode); if (nextchr != -1) { -- Gitee From 55dee3d51d658d72edecd28168be69f822bff970 Mon Sep 17 00:00:00 2001 From: liuxiangdong Date: Tue, 8 Feb 2022 15:10:25 +0800 Subject: [PATCH 3/4] net/dump.c: Suppress spurious compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Compiling with gcc version 11.2.0 (Ubuntu 11.2.0-13ubuntu1) results in a (spurious) warning: In function ‘dump_receive_iov’, inlined from ‘filter_dump_receive_iov’ at ../net/dump.c:157:5: ../net/dump.c:89:9: error: ‘writev’ specified size 18446744073709551600 exceeds maximum object size 9223372036854775807 [-Werror=stringop-overflow=] 89 | if (writev(s->fd, dumpiov, cnt + 1) != sizeof(hdr) + caplen) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from /home/ptomsich/qemu/include/qemu/osdep.h:108, from ../net/dump.c:25: ../net/dump.c: In function ‘filter_dump_receive_iov’: /usr/include/x86_64-linux-gnu/sys/uio.h:52:16: note: in a call to function ‘writev’ declared with attribute ‘read_only (2, 3)’ 52 | extern ssize_t writev (int __fd, const struct iovec *__iovec, int __count) | ^~~~~~ cc1: all warnings being treated as errors This change helps that version of GCC to understand what is going on and suppresses this warning. Signed-off-by: Philipp Tomsich --- net/dump.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/dump.c b/net/dump.c index 23b3628dde7..3cf9fe869d2 100644 --- a/net/dump.c +++ b/net/dump.c @@ -86,7 +86,7 @@ static ssize_t dump_receive_iov(DumpState *s, const struct iovec *iov, int cnt) dumpiov[0].iov_len = sizeof(hdr); cnt = iov_copy(&dumpiov[1], cnt, iov, cnt, 0, caplen); - if (writev(s->fd, dumpiov, cnt + 1) != sizeof(hdr) + caplen) { + if (writev(s->fd, &dumpiov[0], cnt + 1) != sizeof(hdr) + caplen) { error_report("network dump write error - stopping dump"); close(s->fd); s->fd = -1; -- Gitee From d3918f6f22ad23b18f83eb446ee787d41ffd4631 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Thu, 28 Jan 2021 18:15:23 +0100 Subject: [PATCH 4/4] tests: Replace deprecated ASN1 code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes several compiler warnings on MacOS with Homebrew. The git development branch for forthcoming libtasn1 4.17.0 has introduced deprecation warnings for several macros/types that we use. Signed-off-by: Stefan Weil Signed-off-by: Daniel P. Berrangé --- tests/crypto-tls-x509-helpers.c | 10 +++++----- tests/crypto-tls-x509-helpers.h | 2 +- tests/pkix_asn1_tab.c | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c index 9b669c2a4bc..5471434ca2c 100644 --- a/tests/crypto-tls-x509-helpers.c +++ b/tests/crypto-tls-x509-helpers.c @@ -30,7 +30,7 @@ * This stores some static data that is needed when * encoding extensions in the x509 certs */ -ASN1_TYPE pkix_asn1; +asn1_node pkix_asn1; /* * To avoid consuming random entropy to generate keys, @@ -118,7 +118,7 @@ void test_tls_cleanup(const char *keyfile) /* * Turns an ASN1 object into a DER encoded byte array */ -static void test_tls_der_encode(ASN1_TYPE src, +static void test_tls_der_encode(asn1_node src, const char *src_name, gnutls_datum_t *res) { @@ -296,7 +296,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req, * the 'critical' field which we want control over */ if (req->basicConstraintsEnable) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; + asn1_node ext = NULL; asn1_create_element(pkix_asn1, "PKIX1.BasicConstraints", &ext); asn1_write_value(ext, "cA", @@ -323,7 +323,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req, * to be 'critical' */ if (req->keyUsageEnable) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; + asn1_node ext = NULL; char str[2]; str[0] = req->keyUsageValue & 0xff; @@ -353,7 +353,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req, * set this the hard way building up ASN1 data ourselves */ if (req->keyPurposeEnable) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; + asn1_node ext = NULL; asn1_create_element(pkix_asn1, "PKIX1.ExtKeyUsageSyntax", &ext); if (req->keyPurposeOID1) { diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helpers.h index 08efba4e197..8fcd7785ab0 100644 --- a/tests/crypto-tls-x509-helpers.h +++ b/tests/crypto-tls-x509-helpers.h @@ -125,7 +125,7 @@ void test_tls_cleanup(const char *keyfile); }; \ test_tls_generate_cert(&varname, NULL) -extern const ASN1_ARRAY_TYPE pkix_asn1_tab[]; +extern const asn1_static_node pkix_asn1_tab[]; #endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */ diff --git a/tests/pkix_asn1_tab.c b/tests/pkix_asn1_tab.c index f15fc515cbd..4aaf736d3f2 100644 --- a/tests/pkix_asn1_tab.c +++ b/tests/pkix_asn1_tab.c @@ -8,7 +8,7 @@ #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT -const ASN1_ARRAY_TYPE pkix_asn1_tab[] = { +const asn1_static_node pkix_asn1_tab[] = { {"PKIX1", 536875024, 0}, {0, 1073741836, 0}, {"id-ce", 1879048204, 0}, -- Gitee