qemu-e2k/block
Murilo Opsfelder Araujo c4365735a7 block/nbd: fix segmentation fault when .desc is not null-terminated
The find_desc_by_name() from util/qemu-option.c relies on the .name not being
NULL to call strcmp(). This check becomes unsafe when the list is not
NULL-terminated, which is the case of nbd_runtime_opts in block/nbd.c, and can
result in segmentation fault when strcmp() tries to access an invalid memory:

    #0 0x00007fff8c75f7d4 in __strcmp_power9 () from /lib64/libc.so.6
    #1 0x00000000102d3ec8 in find_desc_by_name (desc=0x1036d6f0, name=0x28e46670 "server.path") at util/qemu-option.c:166
    #2 0x00000000102d93e0 in qemu_opts_absorb_qdict (opts=0x28e47a80, qdict=0x28e469a0, errp=0x7fffec247c98) at util/qemu-option.c:1026
    #3 0x000000001012a2e4 in nbd_open (bs=0x28e42290, options=0x28e469a0, flags=24578, errp=0x7fffec247d80) at block/nbd.c:406
    #4 0x00000000100144e8 in bdrv_open_driver (bs=0x28e42290, drv=0x1036e070 <bdrv_nbd_unix>, node_name=0x0, options=0x28e469a0, open_flags=24578, errp=0x7fffec247f50) at block.c:1135
    #5 0x0000000010015b04 in bdrv_open_common (bs=0x28e42290, file=0x0, options=0x28e469a0, errp=0x7fffec247f50) at block.c:1395

>From gdb, the desc[i].name was not NULL and resulted in strcmp() accessing an
invalid memory:

    >>> p desc[5]
    $8 = {
      name = 0x1037f098 "R27A",
      type = 1561964883,
      help = 0xc0bbb23e <error: Cannot access memory at address 0xc0bbb23e>,
      def_value_str = 0x2 <error: Cannot access memory at address 0x2>
    }
    >>> p desc[6]
    $9 = {
      name = 0x103dac78 <__gcov0.do_qemu_init_bdrv_nbd_init> "\001",
      type = 272101528,
      help = 0x29ec0b754403e31f <error: Cannot access memory at address 0x29ec0b754403e31f>,
      def_value_str = 0x81f343b9 <error: Cannot access memory at address 0x81f343b9>
    }

This patch fixes the segmentation fault in strcmp() by adding a NULL element at
the end of nbd_runtime_opts.desc list, which is the common practice to most of
other structs like runtime_opts in block/null.c. Thus, the desc[i].name != NULL
check becomes safe because it will not evaluate to true when .desc list reached
its end.

Reported-by: R. Nageswara Sastry <nasastry@in.ibm.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1727259
Signed-off-by: Murilo Opsfelder Araujo <muriloo@linux.vnet.ibm.com>
Message-Id: <20180105133241.14141-2-muriloo@linux.vnet.ibm.com>
CC: qemu-stable@nongnu.org
Fixes: 7ccc44fd7d
Signed-off-by: Eric Blake <eblake@redhat.com>
2018-01-08 09:12:23 -06:00
..
accounting.c block: make accounting thread-safe 2017-06-16 07:55:00 +08:00
backup.c backup: use copy_bitmap in incremental backup 2017-12-18 10:54:13 -05:00
blkdebug.c block: Align block status requests 2017-10-26 14:45:57 +02:00
blkreplay.c block: change variable names in BlockDriverState 2017-06-26 14:54:46 +02:00
blkverify.c blkverify: Catch bs->exact_filename overflow 2017-06-26 14:54:46 +02:00
block-backend.c block: Don't request I/O permission with BDRV_O_NO_IO 2017-11-21 14:48:22 +01:00
bochs.c block: Deprecate bdrv_set_read_only() and users 2017-11-17 13:35:59 +01:00
cloop.c block: Deprecate bdrv_set_read_only() and users 2017-11-17 13:35:59 +01:00
commit.c commit: Simplify reopen of base 2017-12-22 15:05:32 +01:00
crypto.c block: support passthrough of BDRV_REQ_FUA in crypto driver 2017-10-06 16:30:47 +02:00
crypto.h qcow: convert QCow to use QCryptoBlock for encryption 2017-07-11 17:44:56 +02:00
curl.c block/curl: fix minor memory leaks 2017-12-18 15:44:39 -05:00
dirty-bitmap.c hbitmap: add next_zero function 2017-12-18 10:54:13 -05:00
dmg-bz2.c dmg: Move libbz2 code to dmg-bz2.so 2016-10-07 14:14:06 +02:00
dmg.c block: Deprecate bdrv_set_read_only() and users 2017-11-17 13:35:59 +01:00
dmg.h block: remove "qemu/osdep.h" from header file 2017-12-18 17:07:02 +03:00
file-posix.c file-posix: Clear out first sector in hdev_create 2017-09-26 14:46:23 +02:00
file-win32.c qapi: Change data type of the FOO_lookup generated for enum FOO 2017-09-04 13:09:13 +02:00
gluster.c qapi: Change data type of the FOO_lookup generated for enum FOO 2017-09-04 13:09:13 +02:00
io.c block: Allow graph changes in subtree drained section 2017-12-22 15:05:32 +01:00
iscsi-opts.c block/iscsi: statically link qemu_iscsi_opts 2017-01-27 18:07:58 +01:00
iscsi.c block/iscsi: only report an iSCSI Failure if we don't handle it gracefully 2017-12-21 09:30:32 +01:00
linux-aio.c block: explicitly acquire aiocontext in aio callbacks that need it 2017-02-21 11:39:39 +00:00
Makefile.objs block: add throttle block filter driver 2017-09-06 10:12:02 +02:00
mirror.c blockjob: remove clock argument from block_job_sleep_ns 2017-11-29 15:11:02 +01:00
nbd-client.c nbd: Don't crash when server reports NBD_CMD_READ failure 2017-11-17 08:02:45 -06:00
nbd-client.h nbd: Minimal structured read for client 2017-10-30 21:48:41 +01:00
nbd.c block/nbd: fix segmentation fault when .desc is not null-terminated 2018-01-08 09:12:23 -06:00
nfs.c block/nfs: fix nfs_client_open for filesize greater than 1TB 2017-11-29 15:28:15 +01:00
null.c coroutine: simplify co_aio_sleep_ns() prototype 2017-12-19 09:25:27 +00:00
parallels.c block/parallels: add migration blocker 2017-11-14 18:06:26 +01:00
qapi.c block: Guard against NULL bs->drv 2017-11-17 18:21:31 +01:00
qcow2-bitmap.c qcow2: Switch store_bitmap_data() to byte-based iteration 2017-10-06 16:28:58 +02:00
qcow2-cache.c qcow2: Fix overly broad madvise() 2017-11-17 18:21:31 +01:00
qcow2-cluster.c qcow2: Unaligned zero cluster in handle_alloc() 2017-11-17 18:21:30 +01:00
qcow2-refcount.c qcow2: Add bounds check to get_refblock_offset() 2017-11-17 18:21:31 +01:00
qcow2-snapshot.c qcow2: Discard/zero clusters by byte count 2017-05-11 14:28:07 +02:00
qcow2.c qcow2: get rid of qcow2_backing_read1 routine 2017-12-22 15:03:41 +01:00
qcow2.h qcow2: get rid of qcow2_backing_read1 routine 2017-12-22 15:03:41 +01:00
qcow.c block: convert qcrypto_block_encrypt|decrypt to take bytes offset 2017-10-06 16:30:47 +02:00
qed-check.c qed: Use DIV_ROUND_UP 2016-06-07 18:19:24 +03:00
qed-cluster.c qed: protect table cache with CoMutex 2017-07-17 11:34:11 +08:00
qed-l2-cache.c qed: protect table cache with CoMutex 2017-07-17 11:34:11 +08:00
qed-table.c qed: protect table cache with CoMutex 2017-07-17 11:34:11 +08:00
qed.c block: rename bdrv_co_drain to bdrv_co_drain_begin 2017-10-13 12:38:41 +01:00
qed.h qed: protect table cache with CoMutex 2017-07-17 11:34:11 +08:00
quorum.c qapi: Change data type of the FOO_lookup generated for enum FOO 2017-09-04 13:09:13 +02:00
raw-format.c block: remove unused bdrv_media_changed 2017-09-04 18:31:13 +02:00
rbd.c block: Deprecate bdrv_set_read_only() and users 2017-11-17 13:35:59 +01:00
replication.c block: Keep nodes drained between reopen_queue/multiple 2017-12-22 15:05:32 +01:00
sheepdog.c Pull request 2017-12-20 11:30:55 +00:00
snapshot.c block: Error out on load_vm with active dirty bitmaps 2017-11-21 14:48:23 +01:00
ssh.c util: remove the obsolete non-blocking connect 2017-09-05 13:21:58 +01:00
stream.c blockjob: remove clock argument from block_job_sleep_ns 2017-11-29 15:11:02 +01:00
throttle-groups.c throttle-groups: forget timer and schedule next TGM on detach 2017-11-16 14:12:57 +00:00
throttle.c block/throttle.c: add bdrv_co_drain_begin/end callbacks 2017-10-13 12:38:41 +01:00
trace-events block: Make bdrv_round_to_clusters() signature more useful 2017-10-26 14:45:57 +02:00
vdi.c vdi: make it thread-safe 2017-07-17 11:28:15 +08:00
vhdx-endian.c vhdx: Use QEMU UUID API 2016-09-23 11:42:52 +08:00
vhdx-log.c vhdx: use QEMU_ALIGN_DOWN 2017-08-31 12:29:07 +02:00
vhdx.c block/vhdx.c: Don't blindly update the header 2017-11-14 18:06:25 +01:00
vhdx.h
vmdk.c vmdk: Fix error handling/reporting of vmdk_check 2017-08-08 15:19:16 +02:00
vpc.c vpc: use DIV_ROUND_UP 2017-08-31 12:29:07 +02:00
vvfat.c block: Guard against NULL bs->drv 2017-11-17 18:21:31 +01:00
vxhs.c qobject: Use simpler QDict/QList scalar insertion macros 2017-05-09 09:13:51 +02:00
win32-aio.c block: explicitly acquire aiocontext in aio callbacks that need it 2017-02-21 11:39:39 +00:00
write-threshold.c block: use bdrv_add_before_write_notifier 2016-10-07 13:34:07 +02:00