From patchwork Thu Aug 29 07:10:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 1155069 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46Jv3n49ppz9s5b for ; Thu, 29 Aug 2019 17:13:57 +1000 (AEST) Received: from localhost ([::1]:46156 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i3Ed1-0004v2-EG for incoming@patchwork.ozlabs.org; Thu, 29 Aug 2019 03:13:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43498) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i3EZh-0001NX-53 for qemu-devel@nongnu.org; Thu, 29 Aug 2019 03:10:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i3EZd-00052M-6f for qemu-devel@nongnu.org; Thu, 29 Aug 2019 03:10:29 -0400 Received: from mx1.redhat.com ([209.132.183.28]:5330) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1i3EZb-0004yR-66 for qemu-devel@nongnu.org; Thu, 29 Aug 2019 03:10:23 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 326D718B3D83; Thu, 29 Aug 2019 07:10:20 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-95.ams2.redhat.com [10.36.116.95]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1561A5C207; Thu, 29 Aug 2019 07:10:17 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 4794131E7F; Thu, 29 Aug 2019 09:10:16 +0200 (CEST) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 29 Aug 2019 09:10:14 +0200 Message-Id: <20190829071016.16589-2-kraxel@redhat.com> In-Reply-To: <20190829071016.16589-1-kraxel@redhat.com> References: <20190829071016.16589-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.63]); Thu, 29 Aug 2019 07:10:20 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 1/3] xhci: Fix memory leak in xhci_address_slot X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ying Fang , Gerd Hoffmann , zhanghailiang Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Ying Fang Address Sanitizer shows memory leak in xhci_address_slot hw/usb/hcd-xhci.c:2156 and the stack is as bellow: Direct leak of 64 byte(s) in 4 object(s) allocated from: #0 0xffff91c6f5ab in realloc (/lib64/libasan.so.4+0xd35ab) #1 0xffff91987243 in g_realloc (/lib64/libglib-2.0.so.0+0x57243) #2 0xaaaab0b26a1f in qemu_iovec_add util/iov.c:296 #3 0xaaaab07e5ce3 in xhci_address_slot hw/usb/hcd-xhci.c:2156 #4 0xaaaab07e5ce3 in xhci_process_commands hw/usb/hcd-xhci.c:2493 #5 0xaaaab00058d7 in memory_region_write_accessor qemu/memory.c:507 #6 0xaaaab0000d87 in access_with_adjusted_size memory.c:573 #7 0xaaaab000abcf in memory_region_dispatch_write memory.c:1516 #8 0xaaaaaff59947 in flatview_write_continue exec.c:3367 #9 0xaaaaaff59c33 in flatview_write exec.c:3406 #10 0xaaaaaff63b3b in address_space_write exec.c:3496 #11 0xaaaab002f263 in kvm_cpu_exec accel/kvm/kvm-all.c:2288 #12 0xaaaaaffee427 in qemu_kvm_cpu_thread_fn cpus.c:1290 #13 0xaaaab0b1a943 in qemu_thread_start util/qemu-thread-posix.c:502 #14 0xffff908ce8bb in start_thread (/lib64/libpthread.so.0+0x78bb) #15 0xffff908165cb in thread_start (/lib64/libc.so.6+0xd55cb) Cc: zhanghailiang Signed-off-by: Ying Fang Reviewed-by: Li Qiang Message-id: 20190827080209.2365-1-fangying1@huawei.com Signed-off-by: Gerd Hoffmann --- hw/usb/hcd-xhci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index f5782649482b..471759cd4cc0 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -2161,6 +2161,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid, DeviceOutRequest | USB_REQ_SET_ADDRESS, slotid, 0, 0, NULL); assert(p.status != USB_RET_ASYNC); + usb_packet_cleanup(&p); } res = xhci_enable_ep(xhci, slotid, 1, octx+32, ep0_ctx); From patchwork Thu Aug 29 07:10:16 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 1155070 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46Jv3t3cYQz9s5b for ; Thu, 29 Aug 2019 17:14:02 +1000 (AEST) Received: from localhost ([::1]:46158 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i3Ed6-0004zE-C1 for incoming@patchwork.ozlabs.org; Thu, 29 Aug 2019 03:14:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43499) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i3EZh-0001NY-53 for qemu-devel@nongnu.org; Thu, 29 Aug 2019 03:10:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i3EZf-000546-3R for qemu-devel@nongnu.org; Thu, 29 Aug 2019 03:10:29 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59212) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1i3EZb-000500-9z for qemu-devel@nongnu.org; Thu, 29 Aug 2019 03:10:25 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3085F8980E2 for ; Thu, 29 Aug 2019 07:10:22 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-95.ams2.redhat.com [10.36.116.95]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1D3FD60872; Thu, 29 Aug 2019 07:10:17 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 6272E31E86; Thu, 29 Aug 2019 09:10:16 +0200 (CEST) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 29 Aug 2019 09:10:16 +0200 Message-Id: <20190829071016.16589-4-kraxel@redhat.com> In-Reply-To: <20190829071016.16589-1-kraxel@redhat.com> References: <20190829071016.16589-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.67]); Thu, 29 Aug 2019 07:10:22 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 3/3] usb-mtp: add sanity checks on rootdir X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bandan Das , Gerd Hoffmann Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Bandan Das Currently, we don't check if rootdir exists and is accessible. Furthermore, a trailing slash results in a null "desc" string which ends up in the share not visible in the guest. Add some simple sanity checks for appropriate permissions. Also, bail out if the user does not supply an absolute path. Signed-off-by: Bandan Das Message-id: jpga7bto3on.fsf@linux.bootlegged.copy Signed-off-by: Gerd Hoffmann --- hw/usb/dev-mtp.c | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 9846e4b5130b..7c07295519d3 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -2038,26 +2038,36 @@ static void usb_mtp_realize(USBDevice *dev, Error **errp) { MTPState *s = USB_MTP(dev); - usb_desc_create_serial(dev); - usb_desc_init(dev); - QTAILQ_INIT(&s->objects); - if (s->desc == NULL) { - if (s->root == NULL) { - error_setg(errp, "usb-mtp: rootdir property must be configured"); - return; - } - s->desc = strrchr(s->root, '/'); - if (s->desc && s->desc[0]) { - s->desc = g_strdup(s->desc + 1); - } else { - s->desc = g_strdup("none"); - } + if ((s->root == NULL) || !g_path_is_absolute(s->root)) { + error_setg(errp, "usb-mtp: rootdir must be configured and be an absolute path"); + return; } + + if (access(s->root, R_OK) != 0) { + error_setg(errp, "usb-mtp: rootdir does not exist/not readable"); + return; + } else if (!s->readonly && access(s->root, W_OK) != 0) { + error_setg(errp, "usb-mtp: rootdir does not have write permissions"); + return; + } + /* Mark store as RW */ if (!s->readonly) { s->flags |= (1 << MTP_FLAG_WRITABLE); } + if (s->desc == NULL) { + /* + * This does not check if path exists + * but we have the checks above + */ + s->desc = g_path_get_basename(s->root); + } + + usb_desc_create_serial(dev); + usb_desc_init(dev); + QTAILQ_INIT(&s->objects); + } static const VMStateDescription vmstate_usb_mtp = {