qemu/0202-qemu-char-BUGFIX-don-t-call-FD_ISSET-with-negative-f.patch
2012-10-28 14:05:07 -04:00

60 lines
2.0 KiB
Diff

From 04eefabaae59ad624f0baf3b97a1d1d15cf2a23d Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Mon, 10 Sep 2012 12:30:56 +1000
Subject: [PATCH] qemu-char: BUGFIX, don't call FD_ISSET with negative fd
tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does
not check if the fd it is using is valid (>= 0) before passing it to
qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not
initially connected, this can result in -1 being passed to FD_ISSET, which
has undefined behaviour. On x86 it seems to harmlessly return 0, but on
PowerPC, it causes a fortify buffer overflow error to be thrown.
This patch fixes this by putting an extra test in tcp_chr_connect(), and
also adds an assert qemu_set_fd_handler2() to catch other such errors on
all platforms, rather than just some.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit bbdd2ad0814ea0911076419ea21b7957505cf1cc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
iohandler.c | 2 ++
qemu-char.c | 6 ++++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/iohandler.c b/iohandler.c
index dea4355..a2d871b 100644
--- a/iohandler.c
+++ b/iohandler.c
@@ -56,6 +56,8 @@ int qemu_set_fd_handler2(int fd,
{
IOHandlerRecord *ioh;
+ assert(fd >= 0);
+
if (!fd_read && !fd_write) {
QLIST_FOREACH(ioh, &io_handlers, next) {
if (ioh->fd == fd) {
diff --git a/qemu-char.c b/qemu-char.c
index 10d1504..7f0f895 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2329,8 +2329,10 @@ static void tcp_chr_connect(void *opaque)
TCPCharDriver *s = chr->opaque;
s->connected = 1;
- qemu_set_fd_handler2(s->fd, tcp_chr_read_poll,
- tcp_chr_read, NULL, chr);
+ if (s->fd >= 0) {
+ qemu_set_fd_handler2(s->fd, tcp_chr_read_poll,
+ tcp_chr_read, NULL, chr);
+ }
qemu_chr_generic_open(chr);
}
--
1.7.12.1