[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Qemu-devel] [PATCH v3 00/25] chardev: Convert qemu_chr_write() to take a size_t argument

To: Daniel P. Berrangé <berrange@xxxxxxxxxx>, Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
From: Eric Blake <eblake@xxxxxxxxxx>
Date: Wed, 20 Feb 2019 08:20:04 -0600
Cc: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>, "Michael S. Tsirkin" <mst@xxxxxxxxxx>, Jason Wang <jasowang@xxxxxxxxxx>, qemu-devel <qemu-devel@xxxxxxxxxx>, Gerd Hoffmann <kraxel@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Samuel Thibault <samuel.thibault@xxxxxxxxxxxx>, Halil Pasic <pasic@xxxxxxxxxxxxx>, Christian Borntraeger <borntraeger@xxxxxxxxxx>, Anthony Perard <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Philippe Mathieu-Daudé <philmd@xxxxxxxxxx>, Corey Minyard <minyard@xxxxxxx>, Amit Shah <amit@xxxxxxxxxx>, qemu-s390x@xxxxxxxxxx, Paul Durrant <paul.durrant@xxxxxxxxxx>, Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>, Zhang Chen <zhangckid@xxxxxxxxx>, David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>, Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx>, Cornelia Huck <cohuck@xxxxxxxxxx>, qemu-ppc@xxxxxxxxxx, Paolo Bonzini <pbonzini@xxxxxxxxxx>, Stefan Berger <stefanb@xxxxxxxxxxxxx>
Delivery-date: Wed, 20 Feb 2019 14:21:06 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2/20/19 5:30 AM, Daniel P. Berrangé wrote:

>> Since Paolo you suggested the change, could you give some convincing
>> arguments that it's worth taking the plunge?
> 
> The chardev write/read methods will end up calling libc read/write
> methods, whose parameters are "size_t count".

In my mind, that's the convincing reason. We should model our read/write
after the libc read/write, which means size_t input and ssize_t returns.

> 
> Thus if there is QEMU code that could currently (mistakenly) pass a
> negative value for length to qemu_chr_write, unless something stops
> it, this is going to be cast to a size_t when we finally call read/
> write on the FD, leading to a large positive value & array out of
> bounds read/write. 
> 
> IOW we already have inconsistent use of signed vs unsigned in our code
> which has potential to cause bugs. Converting chardev to use size_t
> we get rid fo the mismatch with the underlying libc APIs we call,
> which ultimately eliminates an area of risk longer term. There is a
> chance it could uncover some pre-existing dormant bugs, but provided
> we do due diligence to check callers I think its a win to be consistent
> with libc APIs in size_t usage for read/write.

And hopefully this exercise of making the conversion serves as a good
audit to help us gain confidence in our code and/or fix bugs it uncovers.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH v3 00/25] chardev: Convert qemu_chr_write() to take a size_t argument
  - From: Philippe Mathieu-Daudé
- Re: [Xen-devel] [PATCH v3 00/25] chardev: Convert qemu_chr_write() to take a size_t argument
  - From: Marc-André Lureau
- Re: [Xen-devel] [Qemu-devel] [PATCH v3 00/25] chardev: Convert qemu_chr_write() to take a size_t argument
  - From: Daniel P. Berrangé

Prev by Date: Re: [Xen-devel] xen/evtchn and forced threaded irq
Next by Date: Re: [Xen-devel] [PATCH v3 23/25] hw/ipmi: Assert outlen > outpos
Previous by thread: Re: [Xen-devel] [Qemu-devel] [PATCH v3 00/25] chardev: Convert qemu_chr_write() to take a size_t argument
Next by thread: [Xen-devel] [libvirt test] 133306: regressions - trouble: broken/fail/pass
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.