Commit ff372bb5 authored by Peter Maydell's avatar Peter Maydell
Browse files

Merge remote-tracking branch 'remotes/vivier2/tags/linux-user-for-4.0-pull-request' into staging 



- add new netlink type from linux v4.18 and v4.19
- fix coverity warning (CID 1390634)
- fix ioctl(SIOCGIFCONF) crash

# gpg: Signature made Thu 07 Feb 2019 13:12:53 GMT
# gpg:                using RSA key F30C38BD3F2FBE3C
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" [full]
# gpg:                 aka "Laurent Vivier <laurent@vivier.eu>" [full]
# gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" [full]
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F BE3C

* remotes/vivier2/tags/linux-user-for-4.0-pull-request:
  linux-user: add new netlink types
  linux-user: Check sscanf return value in open_net_route()
  Fix linux-user crashes in ioctl(SIOCGIFCONF) when ifc_buf is NULL.

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents d55451dc 0f5faca7

linux-user/fd-trans.c

+8 −0
Original line number Diff line number Diff line
@@ -129,6 +129,8 @@ enum { 
    QEMU_IFLA_CARRIER_UP_COUNT,

    QEMU_IFLA_CARRIER_DOWN_COUNT,

    QEMU_IFLA_NEW_IFINDEX,

    QEMU_IFLA_MIN_MTU,

    QEMU_IFLA_MAX_MTU,

    QEMU___IFLA_MAX

};
@@ -166,6 +168,8 @@ enum { 
    QEMU_IFLA_BRPORT_BCAST_FLOOD,

    QEMU_IFLA_BRPORT_GROUP_FWD_MASK,

    QEMU_IFLA_BRPORT_NEIGH_SUPPRESS,

    QEMU_IFLA_BRPORT_ISOLATED,

    QEMU_IFLA_BRPORT_BACKUP_PORT,

    QEMU___IFLA_BRPORT_MAX

};
@@ -510,6 +514,7 @@ static abi_long host_to_target_slave_data_bridge_nlattr(struct nlattr *nlattr, 
    case QEMU_IFLA_BRPORT_VLAN_TUNNEL:

    case QEMU_IFLA_BRPORT_BCAST_FLOOD:

    case QEMU_IFLA_BRPORT_NEIGH_SUPPRESS:

    case QEMU_IFLA_BRPORT_ISOLATED:

        break;

    /* uint16_t */

    case QEMU_IFLA_BRPORT_PRIORITY:
@@ -523,6 +528,7 @@ static abi_long host_to_target_slave_data_bridge_nlattr(struct nlattr *nlattr, 
        break;

    /* uin32_t */

    case QEMU_IFLA_BRPORT_COST:

    case QEMU_IFLA_BRPORT_BACKUP_PORT:

        u32 = NLA_DATA(nlattr);

        *u32 = tswap32(*u32);

        break;
@@ -787,6 +793,8 @@ static abi_long host_to_target_data_link_rtattr(struct rtattr *rtattr) 
    case QEMU_IFLA_GSO_MAX_SIZE:

    case QEMU_IFLA_CARRIER_UP_COUNT:

    case QEMU_IFLA_CARRIER_DOWN_COUNT:

    case QEMU_IFLA_MIN_MTU:

    case QEMU_IFLA_MAX_MTU:

        u32 = RTA_DATA(rtattr);

        *u32 = tswap32(*u32);

        break;

linux-user/syscall.c

+40 −28
Original line number Diff line number Diff line
@@ -4187,16 +4187,18 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp, 
    unlock_user(argptr, arg, 0);



    host_ifconf = (struct ifconf *)(unsigned long)buf_temp;

    target_ifc_len = host_ifconf->ifc_len;

    target_ifc_buf = (abi_long)(unsigned long)host_ifconf->ifc_buf;



    target_ifreq_size = thunk_type_size(ifreq_arg_type, 0);



    if (target_ifc_buf != 0) {

        target_ifc_len = host_ifconf->ifc_len;

        nb_ifreq = target_ifc_len / target_ifreq_size;

        host_ifc_len = nb_ifreq * sizeof(struct ifreq);



        outbufsz = sizeof(*host_ifconf) + host_ifc_len;

        if (outbufsz > MAX_STRUCT_SIZE) {

        /* We can't fit all the extents into the fixed size buffer.

            /*

             * We can't fit all the extents into the fixed size buffer.

             * Allocate one that is large enough and use it instead.

             */

            host_ifconf = malloc(outbufsz);
@@ -4209,6 +4211,9 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp, 
        host_ifc_buf = (char *)host_ifconf + sizeof(*host_ifconf);



        host_ifconf->ifc_len = host_ifc_len;

    } else {

      host_ifc_buf = NULL;

    }

    host_ifconf->ifc_buf = host_ifc_buf;



    ret = get_errno(safe_ioctl(fd, ie->host_cmd, host_ifconf));
@@ -4231,8 +4236,8 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp, 
        thunk_convert(argptr, host_ifconf, arg_type, THUNK_TARGET);

        unlock_user(argptr, arg, target_size);



        if (target_ifc_buf != 0) {

            /* copy ifreq[] to target user */



            argptr = lock_user(VERIFY_WRITE, target_ifc_buf, target_ifc_len, 0);

            for (i = 0; i < nb_ifreq ; i++) {

                thunk_convert(argptr + i * target_ifreq_size,
@@ -4241,6 +4246,7 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp, 
            }

            unlock_user(argptr, target_ifc_buf, target_ifc_len);

        }

    }



    if (free_buf) {

        free(host_ifconf);
@@ -6762,9 +6768,15 @@ static int open_net_route(void *cpu_env, int fd) 
        char iface[16];

        uint32_t dest, gw, mask;

        unsigned int flags, refcnt, use, metric, mtu, window, irtt;

        sscanf(line, "%s\t%08x\t%08x\t%04x\t%d\t%d\t%d\t%08x\t%d\t%u\t%u\n",

        int fields;



        fields = sscanf(line,

                        "%s\t%08x\t%08x\t%04x\t%d\t%d\t%d\t%08x\t%d\t%u\t%u\n",

                        iface, &dest, &gw, &flags, &refcnt, &use, &metric,

                        &mask, &mtu, &window, &irtt);

        if (fields != 11) {

            continue;

        }

        dprintf(fd, "%s\t%08x\t%08x\t%04x\t%d\t%d\t%d\t%08x\t%d\t%u\t%u\n",

                iface, tswap32(dest), tswap32(gw), flags, refcnt, use,

                metric, tswap32(mask), mtu, window, irtt);