From patchwork Fri Jan 25 08:14:49 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amos Kong <akong@redhat.com>
X-Patchwork-Id: 215573
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id D3B422C0080
	for <incoming@patchwork.ozlabs.org>;
	Fri, 25 Jan 2013 19:15:11 +1100 (EST)
Received: from localhost ([::1]:41347 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1TyeRI-0001Il-P2
	for incoming@patchwork.ozlabs.org; Fri, 25 Jan 2013 03:15:08 -0500
Received: from eggs.gnu.org ([208.118.235.92]:43331)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <akong@redhat.com>) id 1TyeR7-0001Hi-Hr
	for qemu-devel@nongnu.org; Fri, 25 Jan 2013 03:15:00 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <akong@redhat.com>) id 1TyeR3-0006Io-BD
	for qemu-devel@nongnu.org; Fri, 25 Jan 2013 03:14:57 -0500
Received: from mx1.redhat.com ([209.132.183.28]:28742)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <akong@redhat.com>) id 1TyeR3-0006Ia-3Q
	for qemu-devel@nongnu.org; Fri, 25 Jan 2013 03:14:53 -0500
Received: from int-mx01.intmail.prod.int.phx2.redhat.com
	(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r0P8EpVE025422
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Fri, 25 Jan 2013 03:14:51 -0500
Received: from dhcp-8-167.nay.redhat.com ([10.66.4.143])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with
	ESMTP id r0P8EmD7017691; Fri, 25 Jan 2013 03:14:49 -0500
From: Amos Kong <akong@redhat.com>
To: qemu-devel@nongnu.org
Date: Fri, 25 Jan 2013 16:14:49 +0800
Message-Id: <1359101689-20600-1-git-send-email-akong@redhat.com>
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 209.132.183.28
Cc: aliguori@us.ibm.com, stefanha@redhat.com
Subject: [Qemu-devel] [PATCH] add fd limitations for avoiding a buffer
	overflow
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

FD_SET() and FD_CLR() are used to add and remove one descriptor from a
set, the 'fd' should be less than FD_SETSIZE. Glibc will give a warning
and crash the qemu when we set a fd (1024) to a set.

 # qemu -device virtio-net-pci,netdev=macvtap_netdev,mac=92:ff:8a:11:fe:57
   -netdev tap,id=macvtap_netdev,fd=1024 1024<>/dev/tap4

*** buffer overflow detected ***: x86_64-softmmu/qemu-system-x86_64
terminated

======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f842a2134a7]
/lib64/libc.so.6(+0x35e9d08620)[0x7f842a211620]
/lib64/libc.so.6(+0x35e9d0a417)[0x7f842a213417]
x86_64-softmmu/qemu-system-x86_64(+0x1901fd)[0x7f842f09f1fd]
x86_64-softmmu/qemu-system-x86_64(+0x198388)[0x7f842f0a7388]
x86_64-softmmu/qemu-system-x86_64(main+0xfa9)[0x7f842ef897a9]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f842a12aa05]
x86_64-softmmu/qemu-system-x86_64(+0x7ed49)[0x7f842ef8dd49]
======= Memory map: ========
....

This patch added limitations when init tap device and set fd handler
for synchronous IO.

Signed-off-by: Amos Kong <akong@redhat.com>
---
 iohandler.c |    3 +++
 net/tap.c   |    3 ++-
 2 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/iohandler.c b/iohandler.c
index 2523adc..c22edab 100644
--- a/iohandler.c
+++ b/iohandler.c
@@ -66,6 +66,9 @@ int qemu_set_fd_handler2(int fd,
             }
         }
     } else {
+        if (fd >= FD_SETSIZE) {
+            return 1;
+        }
         QLIST_FOREACH(ioh, &io_handlers, next) {
             if (ioh->fd == fd)
                 goto found;
diff --git a/net/tap.c b/net/tap.c
index eb40c42..be856dd 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -618,7 +618,8 @@ int net_init_tap(const NetClientOptions *opts, const char *name,
         }
 
         fd = monitor_handle_fd_param(cur_mon, tap->fd);
-        if (fd == -1) {
+        if (fd == -1 || fd >= FD_SETSIZE) {
+            error_report("Invalid fd : %d", fd);
             return -1;
         }