From patchwork Tue Mar 31 14:06:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1264774 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=LjW/tyAT; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48sB3X1CMnz9sPJ for ; Wed, 1 Apr 2020 01:07:18 +1100 (AEDT) Received: from localhost ([::1]:38598 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jJHXv-0002HP-7H for incoming@patchwork.ozlabs.org; Tue, 31 Mar 2020 10:07:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47886) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jJHXX-0002Es-P6 for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:06:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jJHXW-0007dQ-QC for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:06:51 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:53210 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jJHXW-0007d4-MX for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:06:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1585663610; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HFKw99eybEBSOFz3dUXtZpLQZvMzVUyCJ6arSOjZUVc=; b=LjW/tyATsSQvYtB5ay7dPkhq9lb2gKhzeK4qkpfSiQ6wlpEbXofwt9ooJSfQFsOd+S+q7T eZxZLJsoGjF8FuQAFZHBzwGxBkJlyLo84Th1mMK1JzlkxzLzdykAY6JfbtQhD6CcU8OSg2 fh/++nIgzBoPtt3F2RJDK9Zp801KZYk= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-339-KaR1cyJkO2STxyv_39RG4g-1; Tue, 31 Mar 2020 10:06:48 -0400 X-MC-Unique: KaR1cyJkO2STxyv_39RG4g-1 Received: by mail-wm1-f69.google.com with SMTP id e16so505526wmh.5 for ; Tue, 31 Mar 2020 07:06:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YhmapbcU5a1HoNpuFF+HAiAFJ1ozuO4gZZnYbW0h/jM=; b=mKmUql0XJ935suHOX5xc3lUX8Yml/EhuDC4QOzbcPS5atnneKHqTI4mOYqkUVX7FbW rc3LqPxf+Vlw/VbMB7ZZL1IKMHtiLWb0rRw5UZwMNRnVm4t0bX0l/CyNcLXf5/exrpQ3 eUsSXlPk6TXUiC5PI2WwiXqxQvp6BJi++AX4cZ09S2YNnxMGPgeyIJ3qC7reR0y/SbC6 aSjrlDf5dPqzARS3iMfSB4kVUCq4b6IBDS8Zb45ZIcC5d06SewnFqgLtkHsWL7pCkkMY 9de2EtEOKqyZkyZqSbfoAnsTkNCxE72UlPIwmWRp58zGwjkPXMi4vnmw72NeZnNRiXUR bMjg== X-Gm-Message-State: ANhLgQ0izMVzAyewU+jZJjW6hxVrSroQEmskoiCTMUaXwfcgg9oXkei3 SEHGR5anwulOva7GTe1mDcnuo09NU/bPwlhePbTw7hUUHtcASZhLTFOfhEuEg53HXGMm3UeoHQW Y0+aw5KgxdeGiMF0= X-Received: by 2002:a7b:ce95:: with SMTP id q21mr3818977wmj.65.1585663607329; Tue, 31 Mar 2020 07:06:47 -0700 (PDT) X-Google-Smtp-Source: ADFU+vviFCLsHP+ZYvcT+aQatfMvktmNgf8A/W71hBKHbnQ0zXh2PQ15vZ5fQmWC4vHPjp5yn5EleA== X-Received: by 2002:a7b:ce95:: with SMTP id q21mr3818965wmj.65.1585663607134; Tue, 31 Mar 2020 07:06:47 -0700 (PDT) Received: from localhost.localdomain (116.red-83-42-57.dynamicip.rima-tde.net. [83.42.57.116]) by smtp.gmail.com with ESMTPSA id u128sm4025190wmu.31.2020.03.31.07.06.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Mar 2020 07:06:46 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH-for-5.0 v2 1/4] Revert "prevent crash when executing guest-file-read with large count" Date: Tue, 31 Mar 2020 16:06:35 +0200 Message-Id: <20200331140638.16464-2-philmd@redhat.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200331140638.16464-1-philmd@redhat.com> References: <20200331140638.16464-1-philmd@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 207.211.31.120 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= , Markus Armbruster , Michael Roth , Fakhri Zulkifli , "Dr . David Alan Gilbert" , Sameeh Jubran , Basil Salman , =?utf-8?q?Philippe_Mathieu-Daud?= =?utf-8?b?w6k=?= , Dietmar Maurer Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" By using g_try_malloc() instead of g_malloc() the qemu-guest-agent Denial-of-Service attack referred in commit 807e2b6fce is reduced, but still triggerable: - bisect file size S until g_try_malloc(S) fails, - use S - 1: g_try_malloc(S - 1) succeeds, but g_new0() few lines later will fail. 346 buf = g_try_malloc0(count + 1); 347 if (!buf) { 348 error_setg(errp, 349 "failed to allocate sufficient memory " 350 "to complete the requested service"); 351 return NULL; 352 } 353 is_ok = ReadFile(fh, buf, count, &read_count, NULL); 354 if (!is_ok) { 355 error_setg_win32(errp, GetLastError(), "failed to read file"); 356 slog("guest-file-read failed, handle %" PRId64, handle); 357 } else { 358 buf[read_count] = 0; 359 read_data = g_new0(GuestFileRead, 1); ^^^^^^ Instead we are going to put a low hard limit on 'count' in the next commits. This reverts commit 807e2b6fce022707418bc8f61c069d91c613b3d2. Suggested-by: Daniel P. Berrangé Signed-off-by: Philippe Mathieu-Daudé --- qga/commands-win32.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/qga/commands-win32.c b/qga/commands-win32.c index b49920e201..46cea7d1d9 100644 --- a/qga/commands-win32.c +++ b/qga/commands-win32.c @@ -343,13 +343,7 @@ GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count, } fh = gfh->fh; - buf = g_try_malloc0(count + 1); - if (!buf) { - error_setg(errp, - "failed to allocate sufficient memory " - "to complete the requested service"); - return NULL; - } + buf = g_malloc0(count + 1); is_ok = ReadFile(fh, buf, count, &read_count, NULL); if (!is_ok) { error_setg_win32(errp, GetLastError(), "failed to read file"); From patchwork Tue Mar 31 14:06:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1264777 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Xdrhr3GK; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48sB5575bVz9sSG for ; Wed, 1 Apr 2020 01:08:41 +1100 (AEDT) Received: from localhost ([::1]:38628 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jJHZH-0004qT-TM for incoming@patchwork.ozlabs.org; Tue, 31 Mar 2020 10:08:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47899) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jJHXd-0002N5-U6 for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:06:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jJHXc-0007hR-P4 for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:06:57 -0400 Received: from us-smtp-2.mimecast.com ([207.211.31.81]:24099 helo=us-smtp-delivery-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jJHXc-0007h5-LD for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:06:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1585663616; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zkNtSCtIYbWxg0wZGTTo9fxfXzvj4QaHwWA1k8gShSk=; b=Xdrhr3GKGQZnCKh3zTcc9Lry10E88sCtW3cOJUVql37/iF1JIGFFTVC2d2tZ2MBfw9iIt0 wcMNaiZXMWDynOqz0bl92JRTzCqXlt407ezD7QlP1Tz2A6395bGl71P5VaG99vIptnc1En uE+sbq946wwX9InQXeK6nvs3+pvtz4w= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-439-geFL6d9LMbCL2LEf6lwwxw-1; Tue, 31 Mar 2020 10:06:54 -0400 X-MC-Unique: geFL6d9LMbCL2LEf6lwwxw-1 Received: by mail-wm1-f70.google.com with SMTP id w9so741520wmi.2 for ; Tue, 31 Mar 2020 07:06:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KJ4Xx0iYJ5ZjT+1t9JtBr+h6MON+xROPqbtySIMxmOo=; b=fD6l6AZpf+9Bw1PvBCfQNkdiq9rZX4jQWgAyA1dV2PZKzBrx5CJdbbMhx0Lpk/gSFr v5PAhkhQfNgBi6H6bkuUVOtJJH/I09cAzVT2TsoWKSK3ahk2Fq/EkkupuZsm5igaPp2d wbnq+9WOIZI+G1D3I+ft5fIfqRhfFyl6dkh6VacCsPkgcgxJv3fX70U2jqnSbaXuM+CK Ti/qTt5h/arMFo5JsLSOOhGeilY+QuHSru5FrRsPUtPOEAbJulJo3Md37V5DZ6Jhc6vf SQIEMALt4XJbh1VMqvmU7kXc7i1yd0eTi/yEWv1CLLndqlk04fmrdIqLEJj1OKzkyxu1 IYMQ== X-Gm-Message-State: ANhLgQ2wtJRcJ1edGhRp6U9BeBBIDRLTOOlJHTe2bB9Gnw0AS8tZwVzm vJfbGcOymLlpu64O1znuP7A+zA3jIm4kB8/Cb6gBeqn8AAX/cw4DueTwemqAC/S33MkgCLyJ/gt vj9DttCd0GF5TDGo= X-Received: by 2002:a1c:3281:: with SMTP id y123mr3532552wmy.140.1585663613094; Tue, 31 Mar 2020 07:06:53 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvGPEGcY23cYxAh+NtbwxCtHyglDNiRuqbwSnDN7q0NZj8RIfNTqguEjMRR6Tr322n1siC98A== X-Received: by 2002:a1c:3281:: with SMTP id y123mr3532533wmy.140.1585663612822; Tue, 31 Mar 2020 07:06:52 -0700 (PDT) Received: from localhost.localdomain (116.red-83-42-57.dynamicip.rima-tde.net. [83.42.57.116]) by smtp.gmail.com with ESMTPSA id f25sm4037019wml.11.2020.03.31.07.06.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Mar 2020 07:06:52 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH-for-5.0 v2 2/4] qga: Extract guest_file_handle_find() to commands-common.h Date: Tue, 31 Mar 2020 16:06:36 +0200 Message-Id: <20200331140638.16464-3-philmd@redhat.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200331140638.16464-1-philmd@redhat.com> References: <20200331140638.16464-1-philmd@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 207.211.31.81 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= , Markus Armbruster , Michael Roth , Fakhri Zulkifli , "Dr . David Alan Gilbert" , Sameeh Jubran , Basil Salman , =?utf-8?q?Philippe_Mathieu-Daud?= =?utf-8?b?w6k=?= , Dietmar Maurer Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" As we are going to reuse this method, declare it in common header. Signed-off-by: Philippe Mathieu-Daudé --- qga/commands-common.h | 18 ++++++++++++++++++ qga/commands-posix.c | 7 ++++--- qga/commands-win32.c | 7 ++++--- 3 files changed, 26 insertions(+), 6 deletions(-) create mode 100644 qga/commands-common.h diff --git a/qga/commands-common.h b/qga/commands-common.h new file mode 100644 index 0000000000..af90e5481e --- /dev/null +++ b/qga/commands-common.h @@ -0,0 +1,18 @@ +/* + * QEMU Guest Agent common/cross-platform common commands + * + * Copyright (c) 2020 Red Hat, Inc. + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ +#ifndef QGA_COMMANDS_COMMON_H +#define QGA_COMMANDS_COMMON_H + +#include "qga-qapi-types.h" + +typedef struct GuestFileHandle GuestFileHandle; + +GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp); + +#endif diff --git a/qga/commands-posix.c b/qga/commands-posix.c index 93474ff770..2199b3b6d9 100644 --- a/qga/commands-posix.c +++ b/qga/commands-posix.c @@ -26,6 +26,7 @@ #include "qemu/sockets.h" #include "qemu/base64.h" #include "qemu/cutils.h" +#include "commands-common.h" #ifdef HAVE_UTMPX #include @@ -237,12 +238,12 @@ typedef enum { RW_STATE_WRITING, } RwState; -typedef struct GuestFileHandle { +struct GuestFileHandle { uint64_t id; FILE *fh; RwState state; QTAILQ_ENTRY(GuestFileHandle) next; -} GuestFileHandle; +}; static struct { QTAILQ_HEAD(, GuestFileHandle) filehandles; @@ -268,7 +269,7 @@ static int64_t guest_file_handle_add(FILE *fh, Error **errp) return handle; } -static GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp) +GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp) { GuestFileHandle *gfh; diff --git a/qga/commands-win32.c b/qga/commands-win32.c index 46cea7d1d9..cfaf6b84b8 100644 --- a/qga/commands-win32.c +++ b/qga/commands-win32.c @@ -37,6 +37,7 @@ #include "qemu/queue.h" #include "qemu/host-utils.h" #include "qemu/base64.h" +#include "commands-common.h" #ifndef SHTDN_REASON_FLAG_PLANNED #define SHTDN_REASON_FLAG_PLANNED 0x80000000 @@ -50,11 +51,11 @@ #define INVALID_SET_FILE_POINTER ((DWORD)-1) -typedef struct GuestFileHandle { +struct GuestFileHandle { int64_t id; HANDLE fh; QTAILQ_ENTRY(GuestFileHandle) next; -} GuestFileHandle; +}; static struct { QTAILQ_HEAD(, GuestFileHandle) filehandles; @@ -126,7 +127,7 @@ static int64_t guest_file_handle_add(HANDLE fh, Error **errp) return handle; } -static GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp) +GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp) { GuestFileHandle *gfh; QTAILQ_FOREACH(gfh, &guest_file_state.filehandles, next) { From patchwork Tue Mar 31 14:06:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1264776 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=MmluHkKd; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48sB3q0WByz9sSG for ; Wed, 1 Apr 2020 01:07:35 +1100 (AEDT) Received: from localhost ([::1]:38610 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jJHYD-0002af-0Z for incoming@patchwork.ozlabs.org; Tue, 31 Mar 2020 10:07:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47936) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jJHXj-0002WQ-DI for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:07:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jJHXi-0007no-2o for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:07:03 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:46714 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jJHXh-0007mg-Uo for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:07:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1585663621; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aGdC97AkFNkFqaIwkp45N3YaBMRqu7kpW7vfEyDnaxg=; b=MmluHkKdNXwrgW9TcBDebjME9T9bmsDb0u0hUKcb6OJyypbVvJJ6pTXY+YB6sCeXNwQfdL x32Uicas/doLn2WPv8HyWQh7vUELr2EnIJd9wkd0U7FctJXpXQkUOpFbCxS3Z5tCKAZS3H TSXDLP0nawM3vy/Rpi2sjhVNcbu11h0= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-352-aCrzIIloO-Czw9WpfQz0cg-1; Tue, 31 Mar 2020 10:07:00 -0400 X-MC-Unique: aCrzIIloO-Czw9WpfQz0cg-1 Received: by mail-wm1-f70.google.com with SMTP id p18so1097699wmk.9 for ; Tue, 31 Mar 2020 07:06:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=a3RvWLwvWAjQjAP9v638w2/vKcOEdj8FX6FbILwgYSA=; b=EUbyzDcXfPJXJ6cunBPUmopvJw9r9YZCA52e5E1dYP2npzY6MC8N6RFFPO9x4fgLds vMF6Xg1JhtZgSMIUNOm6xzIr3oE6TaKugvCzVoIadmnEpGSgzD/rqQMOxotgP68HhNe6 T9Qzlzc6DRHmBgTZ4/rNuVDB5UrSNfBxXGKhIDYDleHQ3SY+sA3819bJeSwTiQSIvT9G MY2+soKUy9NAmgcf9oo2Zq6Crmvy3VDzbQ3kbcgAutU8swM2uVLO3Y8ZX8clhmsH6kKk 4FbyKDe2ule3smO1Rccyx16y9Kh3ZZ3P9uRHaAMiilIx96oL9Xo4qzAowp2/2ZkwH7OI YtfA== X-Gm-Message-State: ANhLgQ08xfteFGnYCeb3A2dQs7BejsStkUEDuCc1vALsZdCHJoPH4qBs ZZFt6WY5WTPYRSeBQmQYmIerd0j6nfw2QSJJ3aADhOQkjmDAWf056cLC18gOD+Q6bLhmZfRrGa6 U28RIAOykxC+z9z0= X-Received: by 2002:a1c:2842:: with SMTP id o63mr3629972wmo.73.1585663618611; Tue, 31 Mar 2020 07:06:58 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvCz7WusVIWR9afBMCZ0NgXM5Z41+XHgF2mQwuEZ5HdUuKO/BVKxApkY85irHAus15rIymOcw== X-Received: by 2002:a1c:2842:: with SMTP id o63mr3629948wmo.73.1585663618387; Tue, 31 Mar 2020 07:06:58 -0700 (PDT) Received: from localhost.localdomain (116.red-83-42-57.dynamicip.rima-tde.net. [83.42.57.116]) by smtp.gmail.com with ESMTPSA id h132sm4235721wmf.18.2020.03.31.07.06.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Mar 2020 07:06:57 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH-for-5.0 v2 3/4] qga: Extract qmp_guest_file_read() to common commands.c Date: Tue, 31 Mar 2020 16:06:37 +0200 Message-Id: <20200331140638.16464-4-philmd@redhat.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200331140638.16464-1-philmd@redhat.com> References: <20200331140638.16464-1-philmd@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 205.139.110.120 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= , Markus Armbruster , Michael Roth , Fakhri Zulkifli , "Dr . David Alan Gilbert" , Sameeh Jubran , Basil Salman , =?utf-8?q?Philippe_Mathieu-Daud?= =?utf-8?b?w6k=?= , Dietmar Maurer Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" Extract the common code shared by both POSIX/Win32 implementations. Signed-off-by: Philippe Mathieu-Daudé --- qga/commands-common.h | 3 +++ qga/commands-posix.c | 22 +++------------------- qga/commands-win32.c | 20 +++----------------- qga/commands.c | 25 +++++++++++++++++++++++++ 4 files changed, 34 insertions(+), 36 deletions(-) diff --git a/qga/commands-common.h b/qga/commands-common.h index af90e5481e..90785ed4bb 100644 --- a/qga/commands-common.h +++ b/qga/commands-common.h @@ -15,4 +15,7 @@ typedef struct GuestFileHandle GuestFileHandle; GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp); +GuestFileRead *guest_file_read_unsafe(GuestFileHandle *gfh, + int64_t count, Error **errp); + #endif diff --git a/qga/commands-posix.c b/qga/commands-posix.c index 2199b3b6d9..3352e9ca66 100644 --- a/qga/commands-posix.c +++ b/qga/commands-posix.c @@ -461,29 +461,14 @@ void qmp_guest_file_close(int64_t handle, Error **errp) g_free(gfh); } -struct GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count, - int64_t count, Error **errp) +GuestFileRead *guest_file_read_unsafe(GuestFileHandle *gfh, + int64_t count, Error **errp) { - GuestFileHandle *gfh = guest_file_handle_find(handle, errp); GuestFileRead *read_data = NULL; guchar *buf; - FILE *fh; + FILE *fh = gfh->fh; size_t read_count; - if (!gfh) { - return NULL; - } - - if (!has_count) { - count = QGA_READ_COUNT_DEFAULT; - } else if (count < 0 || count >= UINT32_MAX) { - error_setg(errp, "value '%" PRId64 "' is invalid for argument count", - count); - return NULL; - } - - fh = gfh->fh; - /* explicitly flush when switching from writing to reading */ if (gfh->state == RW_STATE_WRITING) { int ret = fflush(fh); @@ -498,7 +483,6 @@ struct GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count, read_count = fread(buf, 1, count, fh); if (ferror(fh)) { error_setg_errno(errp, errno, "failed to read file"); - slog("guest-file-read failed, handle: %" PRId64, handle); } else { buf[read_count] = 0; read_data = g_new0(GuestFileRead, 1); diff --git a/qga/commands-win32.c b/qga/commands-win32.c index cfaf6b84b8..9717a8d52d 100644 --- a/qga/commands-win32.c +++ b/qga/commands-win32.c @@ -322,33 +322,19 @@ void qmp_guest_shutdown(bool has_mode, const char *mode, Error **errp) } } -GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count, - int64_t count, Error **errp) +GuestFileRead *guest_file_read_unsafe(GuestFileHandle *gfh, + int64_t count, Error **errp) { GuestFileRead *read_data = NULL; guchar *buf; - HANDLE fh; + HANDLE fh = gfh->fh; bool is_ok; DWORD read_count; - GuestFileHandle *gfh = guest_file_handle_find(handle, errp); - if (!gfh) { - return NULL; - } - if (!has_count) { - count = QGA_READ_COUNT_DEFAULT; - } else if (count < 0 || count >= UINT32_MAX) { - error_setg(errp, "value '%" PRId64 - "' is invalid for argument count", count); - return NULL; - } - - fh = gfh->fh; buf = g_malloc0(count + 1); is_ok = ReadFile(fh, buf, count, &read_count, NULL); if (!is_ok) { error_setg_win32(errp, GetLastError(), "failed to read file"); - slog("guest-file-read failed, handle %" PRId64, handle); } else { buf[read_count] = 0; read_data = g_new0(GuestFileRead, 1); diff --git a/qga/commands.c b/qga/commands.c index 4471a9f08d..8ee1244ebb 100644 --- a/qga/commands.c +++ b/qga/commands.c @@ -547,3 +547,28 @@ error: g_free(info); return NULL; } + +GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count, + int64_t count, Error **errp) +{ + GuestFileHandle *gfh = guest_file_handle_find(handle, errp); + GuestFileRead *read_data; + + if (!gfh) { + return NULL; + } + if (!has_count) { + count = QGA_READ_COUNT_DEFAULT; + } else if (count < 0 || count >= UINT32_MAX) { + error_setg(errp, "value '%" PRId64 "' is invalid for argument count", + count); + return NULL; + } + + read_data = guest_file_read_unsafe(gfh, count, errp); + if (!read_data) { + slog("guest-file-write failed, handle: %" PRId64, handle); + } + + return read_data; +} From patchwork Tue Mar 31 14:06:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1264778 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=N5un7EZx; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48sB6F0n3dz9sPJ for ; Wed, 1 Apr 2020 01:09:41 +1100 (AEDT) Received: from localhost ([::1]:38642 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jJHaE-0006Vx-W7 for incoming@patchwork.ozlabs.org; Tue, 31 Mar 2020 10:09:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47957) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jJHXq-0002kP-Pa for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:07:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jJHXp-0007vg-D5 for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:07:10 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:41174 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jJHXp-0007vP-98 for qemu-devel@nongnu.org; Tue, 31 Mar 2020 10:07:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1585663628; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vwF8hbu4xZl3dLIjwlZr2OJsZXfk81SSvzv3n2GE69A=; b=N5un7EZxfCnCmvkdPNBEeqQpDH8ELtd/SqcLkq9lgLGhNOKyxMr5fo0jaOwOpcVKXu9r7K LjTZbokGdXB540rKNYLTwMVakwA0WZZfYlLJtMD939hL/pqG+eRPFBfg2wTh3DgsR07vQt CmmHRNX+lI0xAokiI1PDh6JC9Rf2VzY= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-176-wvkI5LplMMGxw4HoJo6vWQ-1; Tue, 31 Mar 2020 10:07:05 -0400 X-MC-Unique: wvkI5LplMMGxw4HoJo6vWQ-1 Received: by mail-wr1-f70.google.com with SMTP id u16so10054393wrp.14 for ; Tue, 31 Mar 2020 07:07:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=uUPU6s8/wt1p8Ho/mqxi5+dJOTfJbsMKE80XrqhvBkk=; b=EstnNdOyoJNTg8snJkFV/pfGK8UV6M+T8BQxDNjPXE0H41Krbbs3cN61BCpImjjFgu 1+Lgs2iTkc/7wE54t61Bwh4/uImCKRflaiFu/4Mxscvarp/BLmPuMKEEAQPK5z1glLsZ SaR1t0RUDJpWqXNd9Kup1f1dKrSylXPtOF4soY2fpXtibt1OyyKRvg42jJ8aQVRdbk6/ IjY+iZeQe1z3YMJA3Wc7XRmow2zxfGZ8fESrDK6keRNx5EIU90gBc6KQBgwFxBKO9nNC XOU/94c3JZdTkXSuD2gBNv7aKUfQWnG0DREV9Vla3gVlUZKHX0AVU1bitokyWn9n3Ml7 lfKQ== X-Gm-Message-State: ANhLgQ2ILdfpPZX6k0cxN1GbFWOeq1uwNJGuPsk5fs6NcinHYjzLgBmf E0IjO+/aDXGWcboJ3BGSGFbejpd0W+S4gpoLcQ97Dg4t9agVdC3eXuK+fsRAE6nUpp3IU+3ggMy 192Z5JPqktgKkrgQ= X-Received: by 2002:a1c:770a:: with SMTP id t10mr3713745wmi.150.1585663624108; Tue, 31 Mar 2020 07:07:04 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtbpUO9Uac5SNE5Kfxg/r7yRyX6u8wlwnp7lMRIowj1RzZs7ifjSR9Pt457xYJa1SrxSNtcNA== X-Received: by 2002:a1c:770a:: with SMTP id t10mr3713725wmi.150.1585663623866; Tue, 31 Mar 2020 07:07:03 -0700 (PDT) Received: from localhost.localdomain (116.red-83-42-57.dynamicip.rima-tde.net. [83.42.57.116]) by smtp.gmail.com with ESMTPSA id m19sm3916474wml.48.2020.03.31.07.07.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Mar 2020 07:07:03 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH-for-5.0 v2 4/4] qga: Restrict guest-file-read count to 10 MB to avoid crashes Date: Tue, 31 Mar 2020 16:06:38 +0200 Message-Id: <20200331140638.16464-5-philmd@redhat.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200331140638.16464-1-philmd@redhat.com> References: <20200331140638.16464-1-philmd@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 205.139.110.120 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= , Markus Armbruster , Michael Roth , Fakhri Zulkifli , "Dr . David Alan Gilbert" , Sameeh Jubran , Basil Salman , =?utf-8?q?Philippe_Mathieu-Daud?= =?utf-8?b?w6k=?= , Dietmar Maurer Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" On https://www.mail-archive.com/qemu-devel@nongnu.org/msg693176.html Daniel Berrangé commented: The QEMU guest agent protocol is not sensible way to access huge files inside the guest. It requires the inefficient process of reading the entire data into memory than duplicating it again in base64 format, and then copying it again in the JSON serializer / monitor code. For arbitrary general purpose file access, especially for large files, use a real file transfer program or use a network block device, not the QEMU guest agent. To avoid bug reports as BZ#1594054, follow his suggestion to put a low, hard limit on "count" in the guest agent QAPI schema, and don't allow count to be larger than 10 MB. Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1594054 Reported-by: Fakhri Zulkifli Suggested-by: Daniel P. Berrangé Signed-off-by: Philippe Mathieu-Daudé --- qga/qapi-schema.json | 6 ++++-- qga/commands.c | 6 +++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index f6fcb59f34..7758d9daf8 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -266,11 +266,13 @@ ## # @guest-file-read: # -# Read from an open file in the guest. Data will be base64-encoded +# Read from an open file in the guest. Data will be base64-encoded. +# As this command is just for limited, ad-hoc debugging, such as log +# file access, the number of bytes to read is limited to 10 MB. # # @handle: filehandle returned by guest-file-open # -# @count: maximum number of bytes to read (default is 4KB) +# @count: maximum number of bytes to read (default is 4KB, maximum is 10MB) # # Returns: @GuestFileRead on success. # diff --git a/qga/commands.c b/qga/commands.c index 8ee1244ebb..c130d1b0f5 100644 --- a/qga/commands.c +++ b/qga/commands.c @@ -11,6 +11,7 @@ */ #include "qemu/osdep.h" +#include "qemu/units.h" #include "guest-agent-core.h" #include "qga-qapi-commands.h" #include "qapi/error.h" @@ -18,11 +19,14 @@ #include "qemu/base64.h" #include "qemu/cutils.h" #include "qemu/atomic.h" +#include "commands-common.h" /* Maximum captured guest-exec out_data/err_data - 16MB */ #define GUEST_EXEC_MAX_OUTPUT (16*1024*1024) /* Allocation and I/O buffer for reading guest-exec out_data/err_data - 4KB */ #define GUEST_EXEC_IO_SIZE (4*1024) +/* Maximum file size to read - 10MB */ +#define GUEST_FILE_READ_COUNT_MAX (10 * MiB) /* Note: in some situations, like with the fsfreeze, logging may be * temporarilly disabled. if it is necessary that a command be able @@ -559,7 +563,7 @@ GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count, } if (!has_count) { count = QGA_READ_COUNT_DEFAULT; - } else if (count < 0 || count >= UINT32_MAX) { + } else if (count < 0 || count > GUEST_FILE_READ_COUNT_MAX) { error_setg(errp, "value '%" PRId64 "' is invalid for argument count", count); return NULL;