qemu-e2k/block
Murilo Opsfelder Araujo c4365735a7 block/nbd: fix segmentation fault when .desc is not null-terminated
The find_desc_by_name() from util/qemu-option.c relies on the .name not being
NULL to call strcmp(). This check becomes unsafe when the list is not
NULL-terminated, which is the case of nbd_runtime_opts in block/nbd.c, and can
result in segmentation fault when strcmp() tries to access an invalid memory:

    #0 0x00007fff8c75f7d4 in __strcmp_power9 () from /lib64/libc.so.6
    #1 0x00000000102d3ec8 in find_desc_by_name (desc=0x1036d6f0, name=0x28e46670 "server.path") at util/qemu-option.c:166
    #2 0x00000000102d93e0 in qemu_opts_absorb_qdict (opts=0x28e47a80, qdict=0x28e469a0, errp=0x7fffec247c98) at util/qemu-option.c:1026
    #3 0x000000001012a2e4 in nbd_open (bs=0x28e42290, options=0x28e469a0, flags=24578, errp=0x7fffec247d80) at block/nbd.c:406
    #4 0x00000000100144e8 in bdrv_open_driver (bs=0x28e42290, drv=0x1036e070 <bdrv_nbd_unix>, node_name=0x0, options=0x28e469a0, open_flags=24578, errp=0x7fffec247f50) at block.c:1135
    #5 0x0000000010015b04 in bdrv_open_common (bs=0x28e42290, file=0x0, options=0x28e469a0, errp=0x7fffec247f50) at block.c:1395

>From gdb, the desc[i].name was not NULL and resulted in strcmp() accessing an
invalid memory:

    >>> p desc[5]
    $8 = {
      name = 0x1037f098 "R27A",
      type = 1561964883,
      help = 0xc0bbb23e <error: Cannot access memory at address 0xc0bbb23e>,
      def_value_str = 0x2 <error: Cannot access memory at address 0x2>
    }
    >>> p desc[6]
    $9 = {
      name = 0x103dac78 <__gcov0.do_qemu_init_bdrv_nbd_init> "\001",
      type = 272101528,
      help = 0x29ec0b754403e31f <error: Cannot access memory at address 0x29ec0b754403e31f>,
      def_value_str = 0x81f343b9 <error: Cannot access memory at address 0x81f343b9>
    }

This patch fixes the segmentation fault in strcmp() by adding a NULL element at
the end of nbd_runtime_opts.desc list, which is the common practice to most of
other structs like runtime_opts in block/null.c. Thus, the desc[i].name != NULL
check becomes safe because it will not evaluate to true when .desc list reached
its end.

Reported-by: R. Nageswara Sastry <nasastry@in.ibm.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1727259
Signed-off-by: Murilo Opsfelder Araujo <muriloo@linux.vnet.ibm.com>
Message-Id: <20180105133241.14141-2-muriloo@linux.vnet.ibm.com>
CC: qemu-stable@nongnu.org
Fixes: 7ccc44fd7d
Signed-off-by: Eric Blake <eblake@redhat.com>
2018-01-08 09:12:23 -06:00
..
accounting.c
backup.c backup: use copy_bitmap in incremental backup 2017-12-18 10:54:13 -05:00
blkdebug.c block: Align block status requests 2017-10-26 14:45:57 +02:00
blkreplay.c
blkverify.c
block-backend.c block: Don't request I/O permission with BDRV_O_NO_IO 2017-11-21 14:48:22 +01:00
bochs.c block: Deprecate bdrv_set_read_only() and users 2017-11-17 13:35:59 +01:00
cloop.c block: Deprecate bdrv_set_read_only() and users 2017-11-17 13:35:59 +01:00
commit.c commit: Simplify reopen of base 2017-12-22 15:05:32 +01:00
crypto.c
crypto.h
curl.c block/curl: fix minor memory leaks 2017-12-18 15:44:39 -05:00
dirty-bitmap.c hbitmap: add next_zero function 2017-12-18 10:54:13 -05:00
dmg-bz2.c
dmg.c block: Deprecate bdrv_set_read_only() and users 2017-11-17 13:35:59 +01:00
dmg.h block: remove "qemu/osdep.h" from header file 2017-12-18 17:07:02 +03:00
file-posix.c
file-win32.c
gluster.c
io.c block: Allow graph changes in subtree drained section 2017-12-22 15:05:32 +01:00
iscsi-opts.c
iscsi.c block/iscsi: only report an iSCSI Failure if we don't handle it gracefully 2017-12-21 09:30:32 +01:00
linux-aio.c
Makefile.objs
mirror.c blockjob: remove clock argument from block_job_sleep_ns 2017-11-29 15:11:02 +01:00
nbd-client.c nbd: Don't crash when server reports NBD_CMD_READ failure 2017-11-17 08:02:45 -06:00
nbd-client.h nbd: Minimal structured read for client 2017-10-30 21:48:41 +01:00
nbd.c block/nbd: fix segmentation fault when .desc is not null-terminated 2018-01-08 09:12:23 -06:00
nfs.c block/nfs: fix nfs_client_open for filesize greater than 1TB 2017-11-29 15:28:15 +01:00
null.c coroutine: simplify co_aio_sleep_ns() prototype 2017-12-19 09:25:27 +00:00
parallels.c block/parallels: add migration blocker 2017-11-14 18:06:26 +01:00
qapi.c block: Guard against NULL bs->drv 2017-11-17 18:21:31 +01:00
qcow2-bitmap.c
qcow2-cache.c qcow2: Fix overly broad madvise() 2017-11-17 18:21:31 +01:00
qcow2-cluster.c qcow2: Unaligned zero cluster in handle_alloc() 2017-11-17 18:21:30 +01:00
qcow2-refcount.c qcow2: Add bounds check to get_refblock_offset() 2017-11-17 18:21:31 +01:00
qcow2-snapshot.c
qcow2.c qcow2: get rid of qcow2_backing_read1 routine 2017-12-22 15:03:41 +01:00
qcow2.h qcow2: get rid of qcow2_backing_read1 routine 2017-12-22 15:03:41 +01:00
qcow.c
qed-check.c
qed-cluster.c
qed-l2-cache.c
qed-table.c
qed.c block: rename bdrv_co_drain to bdrv_co_drain_begin 2017-10-13 12:38:41 +01:00
qed.h
quorum.c
raw-format.c
rbd.c block: Deprecate bdrv_set_read_only() and users 2017-11-17 13:35:59 +01:00
replication.c block: Keep nodes drained between reopen_queue/multiple 2017-12-22 15:05:32 +01:00
sheepdog.c Pull request 2017-12-20 11:30:55 +00:00
snapshot.c block: Error out on load_vm with active dirty bitmaps 2017-11-21 14:48:23 +01:00
ssh.c
stream.c blockjob: remove clock argument from block_job_sleep_ns 2017-11-29 15:11:02 +01:00
throttle-groups.c throttle-groups: forget timer and schedule next TGM on detach 2017-11-16 14:12:57 +00:00
throttle.c block/throttle.c: add bdrv_co_drain_begin/end callbacks 2017-10-13 12:38:41 +01:00
trace-events block: Make bdrv_round_to_clusters() signature more useful 2017-10-26 14:45:57 +02:00
vdi.c
vhdx-endian.c
vhdx-log.c
vhdx.c block/vhdx.c: Don't blindly update the header 2017-11-14 18:06:25 +01:00
vhdx.h
vmdk.c
vpc.c
vvfat.c block: Guard against NULL bs->drv 2017-11-17 18:21:31 +01:00
vxhs.c
win32-aio.c
write-threshold.c