From patchwork Thu Feb  3 04:34:08 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp>
X-Patchwork-Id: 81617
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [199.232.76.165])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id CC6C1B715B
	for <incoming@patchwork.ozlabs.org>;
	Thu,  3 Feb 2011 15:36:09 +1100 (EST)
Received: from localhost ([127.0.0.1]:58377 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PkqvN-0000Dk-FG
	for incoming@patchwork.ozlabs.org; Wed, 02 Feb 2011 23:36:05 -0500
Received: from [140.186.70.92] (port=51270 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PkquZ-0000Cq-Kz
	for qemu-devel@nongnu.org; Wed, 02 Feb 2011 23:35:16 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <tamura.yoshiaki@lab.ntt.co.jp>) id 1PkquY-0006qG-BN
	for qemu-devel@nongnu.org; Wed, 02 Feb 2011 23:35:15 -0500
Received: from sh.osrg.net ([192.16.179.4]:45051)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <tamura.yoshiaki@lab.ntt.co.jp>) id 1PkquX-0006pi-Mb
	for qemu-devel@nongnu.org; Wed, 02 Feb 2011 23:35:14 -0500
Received: from fs.osrg.net (postfix@fs.osrg.net [10.0.0.12])
	by sh.osrg.net (8.14.3/8.14.3/OSRG-NET) with ESMTP id p134Z1Fv012417;
	Thu, 3 Feb 2011 13:35:01 +0900
Received: from localhost (hype-nh0.osrg.net [10.72.1.48])
	by fs.osrg.net (Postfix) with ESMTP id 061083E0026;
	Thu,  3 Feb 2011 13:35:01 +0900 (JST)
From: Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp>
To: qemu-devel@nongnu.org
Date: Thu,  3 Feb 2011 13:34:08 +0900
Message-Id: <1296707648-28191-1-git-send-email-tamura.yoshiaki@lab.ntt.co.jp>
X-Mailer: git-send-email 1.7.1.2
X-Dispatcher: imput version 20070423(IM149)
Lines: 53
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0
	(sh.osrg.net [192.16.179.4]); Thu, 03 Feb 2011 13:35:03 +0900 (JST)
X-Virus-Scanned: clamav-milter 0.96.5 at sh
X-Virus-Status: Clean
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2)
X-Received-From: 192.16.179.4
Cc: pbonzini@redhat.com, aliguori@us.ibm.com,
	Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp>, quintela@redhat.com
Subject: [Qemu-devel] [PATCH 0.14] savevm: fix corruption in
	vmstate_subsection_load().
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Although it's rare to happen in live migration, when the head of a
byte stream contains 0x05 which is the marker of subsection, the
loader gets corrupted because vmstate_subsection_load() continues even
the device doesn't require it.  This patch adds a checker whether
subsection is needed, and skips following routines if not needed.

Signed-off-by: Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
---
 savevm.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/savevm.c b/savevm.c
index 4453217..6d83b0f 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1638,6 +1638,12 @@ static const VMStateDescription *vmstate_get_subsection(const VMStateSubsection
 static int vmstate_subsection_load(QEMUFile *f, const VMStateDescription *vmsd,
                                    void *opaque)
 {
+    const VMStateSubsection *sub = vmsd->subsections;
+
+    if (!sub || !sub->needed) {
+        return 0;
+    }
+
     while (qemu_peek_byte(f) == QEMU_VM_SUBSECTION) {
         char idstr[256];
         int ret;
@@ -1650,10 +1656,11 @@ static int vmstate_subsection_load(QEMUFile *f, const VMStateDescription *vmsd,
         idstr[len] = 0;
         version_id = qemu_get_be32(f);
 
-        sub_vmsd = vmstate_get_subsection(vmsd->subsections, idstr);
+        sub_vmsd = vmstate_get_subsection(sub, idstr);
         if (sub_vmsd == NULL) {
             return -ENOENT;
         }
+        assert(!sub_vmsd->subsections);
         ret = vmstate_load_state(f, sub_vmsd, opaque, version_id);
         if (ret) {
             return ret;
@@ -1677,6 +1684,7 @@ static void vmstate_subsection_save(QEMUFile *f, const VMStateDescription *vmsd,
             qemu_put_byte(f, len);
             qemu_put_buffer(f, (uint8_t *)vmsd->name, len);
             qemu_put_be32(f, vmsd->version_id);
+            assert(!vmsd->subsections);
             vmstate_save_state(f, vmsd, opaque);
         }
         sub++;