From f46efa9b0895a7ff8ed0b4e874aee52a49f2a878 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Wed, 10 Jul 2019 11:52:53 +0800 Subject: [PATCH 1/5] e1000: don't raise interrupt in pre_save() We should not raise any interrupt after VM has been stopped but this is what e1000 currently did when mit timer is active in pre_save(). Fixing this by scheduling a timer in post_load() which can make sure the interrupt was raised when VM is running. Reported-and-tested-by: Longpeng Signed-off-by: Jason Wang --- hw/net/e1000.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/hw/net/e1000.c b/hw/net/e1000.c index 1dc1466332..a023ceb27c 100644 --- a/hw/net/e1000.c +++ b/hw/net/e1000.c @@ -1381,11 +1381,6 @@ static int e1000_pre_save(void *opaque) E1000State *s = opaque; NetClientState *nc = qemu_get_queue(s->nic); - /* If the mitigation timer is active, emulate a timeout now. */ - if (s->mit_timer_on) { - e1000_mit_timer(s); - } - /* * If link is down and auto-negotiation is supported and ongoing, * complete auto-negotiation immediately. This allows us to look @@ -1423,7 +1418,8 @@ static int e1000_post_load(void *opaque, int version_id) s->mit_irq_level = false; } s->mit_ide = 0; - s->mit_timer_on = false; + s->mit_timer_on = true; + timer_mod(s->mit_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + 1); /* nc.link_down can't be migrated, so infer link_down according * to link status bit in mac_reg[STATUS]. From 6f5d8671225dc77190647f18a27a0d156d4ca97a Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Tue, 23 Jul 2019 16:17:52 +0530 Subject: [PATCH 2/5] qemu-bridge-helper: restrict interface name to IFNAMSIZ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The network interface name in Linux is defined to be of size IFNAMSIZ(=16), including the terminating null('\0') byte. The same is applied to interface names read from 'bridge.conf' file to form ACL rules. If user supplied '--br=bridge' name is not restricted to the same length, it could lead to ACL bypass issue. Restrict interface name to IFNAMSIZ, including null byte. Reported-by: Riccardo Schirone Signed-off-by: Prasad J Pandit Reviewed-by: Stefan Hajnoczi Reviewed-by: Daniel P. Berrangé Reviewed-by: Li Qiang Signed-off-by: Jason Wang --- qemu-bridge-helper.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c index 95624bc300..2058e10454 100644 --- a/qemu-bridge-helper.c +++ b/qemu-bridge-helper.c @@ -119,6 +119,13 @@ static int parse_acl_file(const char *filename, ACLList *acl_list) } *argend = 0; + if (!g_str_equal(cmd, "include") && strlen(arg) >= IFNAMSIZ) { + fprintf(stderr, "name `%s' too long: %zu\n", arg, strlen(arg)); + fclose(f); + errno = EINVAL; + return -1; + } + if (strcmp(cmd, "deny") == 0) { acl_rule = g_malloc(sizeof(*acl_rule)); if (strcmp(arg, "all") == 0) { @@ -269,6 +276,10 @@ int main(int argc, char **argv) usage(); return EXIT_FAILURE; } + if (strlen(bridge) >= IFNAMSIZ) { + fprintf(stderr, "name `%s' too long: %zu\n", bridge, strlen(bridge)); + return EXIT_FAILURE; + } /* parse default acl file */ QSIMPLEQ_INIT(&acl_list); From 3283dde4b5b5cce0f96f48d536bebff66d97ce0b Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Tue, 23 Jul 2019 16:17:53 +0530 Subject: [PATCH 3/5] qemu-bridge-helper: move repeating code in parse_acl_file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move repeating error handling sequence in parse_acl_file routine to an 'err' label. Signed-off-by: Prasad J Pandit Reviewed-by: Stefan Hajnoczi Reviewed-by: Daniel P. Berrangé Reviewed-by: Li Qiang Signed-off-by: Jason Wang --- qemu-bridge-helper.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c index 2058e10454..3d50ec094c 100644 --- a/qemu-bridge-helper.c +++ b/qemu-bridge-helper.c @@ -102,9 +102,7 @@ static int parse_acl_file(const char *filename, ACLList *acl_list) if (arg == NULL) { fprintf(stderr, "Invalid config line:\n %s\n", line); - fclose(f); - errno = EINVAL; - return -1; + goto err; } *arg = 0; @@ -121,9 +119,7 @@ static int parse_acl_file(const char *filename, ACLList *acl_list) if (!g_str_equal(cmd, "include") && strlen(arg) >= IFNAMSIZ) { fprintf(stderr, "name `%s' too long: %zu\n", arg, strlen(arg)); - fclose(f); - errno = EINVAL; - return -1; + goto err; } if (strcmp(cmd, "deny") == 0) { @@ -149,15 +145,18 @@ static int parse_acl_file(const char *filename, ACLList *acl_list) parse_acl_file(arg, acl_list); } else { fprintf(stderr, "Unknown command `%s'\n", cmd); - fclose(f); - errno = EINVAL; - return -1; + goto err; } } fclose(f); - return 0; + +err: + fclose(f); + errno = EINVAL; + return -1; + } static bool has_vnet_hdr(int fd) From 389abe1dd1790c0de7a2f1f422dcdf778b509a16 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Tue, 23 Jul 2019 16:17:54 +0530 Subject: [PATCH 4/5] net: tap: replace snprintf with g_strdup_printf calls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When invoking qemu-bridge-helper in 'net_bridge_run_helper', instead of using fixed sized buffers, use dynamically allocated ones initialised and returned by g_strdup_printf(). Signed-off-by: Prasad J Pandit Reviewed-by: Li Qiang Reviewed-by: Daniel P. Berrangé Signed-off-by: Jason Wang --- net/tap.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/net/tap.c b/net/tap.c index e8aadd8d4b..fc38029f41 100644 --- a/net/tap.c +++ b/net/tap.c @@ -498,9 +498,9 @@ static int net_bridge_run_helper(const char *helper, const char *bridge, } if (pid == 0) { int open_max = sysconf(_SC_OPEN_MAX), i; - char fd_buf[6+10]; - char br_buf[6+IFNAMSIZ] = {0}; - char helper_cmd[PATH_MAX + sizeof(fd_buf) + sizeof(br_buf) + 15]; + char *fd_buf = NULL; + char *br_buf = NULL; + char *helper_cmd = NULL; for (i = 3; i < open_max; i++) { if (i != sv[1]) { @@ -508,17 +508,17 @@ static int net_bridge_run_helper(const char *helper, const char *bridge, } } - snprintf(fd_buf, sizeof(fd_buf), "%s%d", "--fd=", sv[1]); + fd_buf = g_strdup_printf("%s%d", "--fd=", sv[1]); if (strrchr(helper, ' ') || strrchr(helper, '\t')) { /* assume helper is a command */ if (strstr(helper, "--br=") == NULL) { - snprintf(br_buf, sizeof(br_buf), "%s%s", "--br=", bridge); + br_buf = g_strdup_printf("%s%s", "--br=", bridge); } - snprintf(helper_cmd, sizeof(helper_cmd), "%s %s %s %s", - helper, "--use-vnet", fd_buf, br_buf); + helper_cmd = g_strdup_printf("%s %s %s %s", helper, + "--use-vnet", fd_buf, br_buf ? br_buf : ""); parg = args; *parg++ = (char *)"sh"; @@ -527,10 +527,11 @@ static int net_bridge_run_helper(const char *helper, const char *bridge, *parg++ = NULL; execv("/bin/sh", args); + g_free(helper_cmd); } else { /* assume helper is just the executable path name */ - snprintf(br_buf, sizeof(br_buf), "%s%s", "--br=", bridge); + br_buf = g_strdup_printf("%s%s", "--br=", bridge); parg = args; *parg++ = (char *)helper; @@ -541,6 +542,8 @@ static int net_bridge_run_helper(const char *helper, const char *bridge, execv(helper, args); } + g_free(fd_buf); + g_free(br_buf); _exit(1); } else { From f77bed14f01557596727c4eea042e9818c242049 Mon Sep 17 00:00:00 2001 From: Zhang Chen Date: Tue, 23 Jul 2019 01:18:28 +0800 Subject: [PATCH 5/5] net/colo-compare.c: Fix memory leak and code style issue. This patch to fix the origin "char *data" memory leak, code style issue and add necessary check here. Reported-by: Coverity (CID 1402785) Signed-off-by: Zhang Chen Reviewed-by: Peter Maydell Signed-off-by: Jason Wang --- net/colo-compare.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/net/colo-compare.c b/net/colo-compare.c index 909dd6c6eb..7489840bde 100644 --- a/net/colo-compare.c +++ b/net/colo-compare.c @@ -127,6 +127,17 @@ static int compare_chr_send(CompareState *s, uint32_t vnet_hdr_len, bool notify_remote_frame); +static bool packet_matches_str(const char *str, + const uint8_t *buf, + uint32_t packet_len) +{ + if (packet_len != strlen(str)) { + return false; + } + + return !memcmp(str, buf, strlen(str)); +} + static void notify_remote_frame(CompareState *s) { char msg[] = "DO_CHECKPOINT"; @@ -1008,21 +1019,23 @@ static void compare_notify_rs_finalize(SocketReadState *notify_rs) { CompareState *s = container_of(notify_rs, CompareState, notify_rs); - /* Get Xen colo-frame's notify and handle the message */ - char *data = g_memdup(notify_rs->buf, notify_rs->packet_len); - char msg[] = "COLO_COMPARE_GET_XEN_INIT"; + const char msg[] = "COLO_COMPARE_GET_XEN_INIT"; int ret; - if (!strcmp(data, "COLO_USERSPACE_PROXY_INIT")) { + if (packet_matches_str("COLO_USERSPACE_PROXY_INIT", + notify_rs->buf, + notify_rs->packet_len)) { ret = compare_chr_send(s, (uint8_t *)msg, strlen(msg), 0, true); if (ret < 0) { error_report("Notify Xen COLO-frame INIT failed"); } - } - - if (!strcmp(data, "COLO_CHECKPOINT")) { + } else if (packet_matches_str("COLO_CHECKPOINT", + notify_rs->buf, + notify_rs->packet_len)) { /* colo-compare do checkpoint, flush pri packet and remove sec packet */ g_queue_foreach(&s->conn_list, colo_flush_packets, s); + } else { + error_report("COLO compare got unsupported instruction"); } }