diff options
| author | Philippe Mathieu-Daudé <philmd@redhat.com> | 2019-01-03 09:56:38 +0100 |
|---|---|---|
| committer | Michael S. Tsirkin <mst@redhat.com> | 2019-01-17 21:10:57 -0500 |
| commit | a346af9c881147f04eb7ff9264fe1599928cf067 (patch) | |
| tree | 6a8060c802596dbe7694c62af2d5790bd3ae2139 /migration | |
| parent | 0a5526a18b0245dfa20a9fe453b2a9af3125d175 (diff) | |
| download | qemu-a346af9c881147f04eb7ff9264fe1599928cf067.zip qemu-a346af9c881147f04eb7ff9264fe1599928cf067.tar.gz qemu-a346af9c881147f04eb7ff9264fe1599928cf067.tar.bz2 | |
migration: Use strnlen() for fixed-size string
GCC 8 introduced the -Wstringop-overflow, which detect buffer overflow
by string-modifying functions declared in <string.h>, such strncpy(),
used in global_state_store_running().
GCC indeed found an incorrect use of strlen(), because this array
is loaded by VMSTATE_BUFFER(runstate, GlobalState) then parsed
using qapi_enum_parse which does not get the buffer length.
Use strnlen() which returns sizeof(s->runstate) if the array is not
NUL-terminated, assert the size is within range, and enforce the array
to be NUL-terminated to avoid an overflow in qapi_enum_parse().
This fixes:
CC migration/global_state.o
qemu/migration/global_state.c: In function 'global_state_pre_save':
qemu/migration/global_state.c:109:15: error: 'strlen' argument 1 declared attribute 'nonstring' [-Werror=stringop-overflow=]
s->size = strlen((char *)s->runstate) + 1;
^~~~~~~~~~~~~~~~~~~~~~~~~~~
qemu/migration/global_state.c:24:13: note: argument 'runstate' declared here
uint8_t runstate[100] QEMU_NONSTRING;
^~~~~~~~
cc1: all warnings being treated as errors
make: *** [qemu/rules.mak:69: migration/global_state.o] Error 1
Suggested-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'migration')
| -rw-r--r-- | migration/global_state.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/migration/global_state.c b/migration/global_state.c index 01805c5..2c8c447 100644 --- a/migration/global_state.c +++ b/migration/global_state.c @@ -89,6 +89,17 @@ static int global_state_post_load(void *opaque, int version_id) s->received = true; trace_migrate_global_state_post_load(runstate); + if (strnlen((char *)s->runstate, + sizeof(s->runstate)) == sizeof(s->runstate)) { + /* + * This condition should never happen during migration, because + * all runstate names are shorter than 100 bytes (the size of + * s->runstate). However, a malicious stream could overflow + * the qapi_enum_parse() call, so we force the last character + * to a NUL byte. + */ + s->runstate[sizeof(s->runstate) - 1] = '\0'; + } r = qapi_enum_parse(&RunState_lookup, runstate, -1, &local_err); if (r == -1) { @@ -107,7 +118,8 @@ static int global_state_pre_save(void *opaque) GlobalState *s = opaque; trace_migrate_global_state_pre_save((char *)s->runstate); - s->size = strlen((char *)s->runstate) + 1; + s->size = strnlen((char *)s->runstate, sizeof(s->runstate)) + 1; + assert(s->size <= sizeof(s->runstate)); return 0; } |