* exec.c use after free

* Xen 32-on-64 breakage * missing EINTR * naughty warning under qtest -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJWXuCDAAoJEL/70l94x66DEMMH/3MDMvuFCRHM9CgBkX/VV6hZ S+5WLs+lit3AJ68Fas+Q/lF1inWzzR3QQFqRJUACdoKMx8B/bH3oQws42WemGIJX pIhgDWolTn5lRAo/9nQBUEnm2RBzAkS0qbIoXunFDGxfuZDWJDS/0sdUonrvS1X/ 3/TXsKw9/7YzaZ2x2NK7ZxCdl/XR1mw/YWHS7/TbjHWOS2HEsGB8f5xKLBUYPWPi /Ph41Z4Yb7biztoQ8HHOve4jfzuo3hqPp6qxvcqPfXSprEMjmpz7HiJALJXsu2O1 uTng5/Nod6Cdm3ZrA9fTvZQH0OM7KHsLH3mcvn5NzFdfXV0EvLpH70SDmSSWRNM= =K3Wn -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging * exec.c use after free * Xen 32-on-64 breakage * missing EINTR * naughty warning under qtest # gpg: Signature made Wed 02 Dec 2015 12:13:55 GMT using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" * remotes/bonzini/tags/for-upstream: translate-all: ensure host page mask is always extended with 1's main-loop: suppress warnings under qtest qemu-char: retry g_poll on EINTR exec: Stop using memory after free Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-02 15:41:38 +00:00 · 2015-12-02 15:41:38 +00:00 · 30a9fd5d13
commit 30a9fd5d13
parent 9d7b969ea6 0c2d70c448
10 changed files with 27 additions and 17 deletions
--- a/bsd-user/elfload.c
+++ b/bsd-user/elfload.c
@ -740,8 +740,7 @@ static void padzero(abi_ulong elf_bss, abi_ulong last_bss)
           size must be known */
        if (qemu_real_host_page_size < qemu_host_page_size) {
            abi_ulong end_addr, end_addr1;
-            end_addr1 = (elf_bss + qemu_real_host_page_size - 1) &
-                ~(qemu_real_host_page_size - 1);
+            end_addr1 = REAL_HOST_PAGE_ALIGN(elf_bss);
            end_addr = HOST_PAGE_ALIGN(elf_bss);
            if (end_addr1 < end_addr) {
                mmap((void *)g2h(end_addr1), end_addr - end_addr1,
--- a/exec.c
+++ b/exec.c
@ -1064,9 +1064,11 @@ static uint16_t phys_section_add(PhysPageMap *map,

 static void phys_section_destroy(MemoryRegion *mr)
 {
+    bool have_sub_page = mr->subpage;
+
    memory_region_unref(mr);

-    if (mr->subpage) {
+    if (have_sub_page) {
        subpage_t *subpage = container_of(mr, subpage_t, iomem);
        object_unref(OBJECT(&subpage->iomem));
        g_free(subpage);
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@ -174,11 +174,13 @@ extern unsigned long reserved_va;
 #define TARGET_PAGE_MASK ~(TARGET_PAGE_SIZE - 1)
 #define TARGET_PAGE_ALIGN(addr) (((addr) + TARGET_PAGE_SIZE - 1) & TARGET_PAGE_MASK)

-/* ??? These should be the larger of uintptr_t and target_ulong.  */
+/* Using intptr_t ensures that qemu_*_page_mask is sign-extended even
+ * when intptr_t is 32-bit and we are aligning a long long.
+ */
 extern uintptr_t qemu_real_host_page_size;
-extern uintptr_t qemu_real_host_page_mask;
+extern intptr_t qemu_real_host_page_mask;
 extern uintptr_t qemu_host_page_size;
-extern uintptr_t qemu_host_page_mask;
+extern intptr_t qemu_host_page_mask;

 #define HOST_PAGE_ALIGN(addr) (((addr) + qemu_host_page_size - 1) & qemu_host_page_mask)
 #define REAL_HOST_PAGE_ALIGN(addr) (((addr) + qemu_real_host_page_size - 1) & \
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@ -1478,8 +1478,7 @@ static void zero_bss(abi_ulong elf_bss, abi_ulong last_bss, int prot)

    host_start = (uintptr_t) g2h(elf_bss);
    host_end = (uintptr_t) g2h(last_bss);
-    host_map_start = (host_start + qemu_real_host_page_size - 1);
-    host_map_start &= -qemu_real_host_page_size;
+    host_map_start = REAL_HOST_PAGE_ALIGN(host_start);

    if (host_map_start < host_end) {
        void *p = mmap((void *)host_map_start, host_end - host_map_start,
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@ -444,9 +444,7 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
           /* If so, truncate the file map at eof aligned with 
              the hosts real pagesize. Additional anonymous maps
              will be created beyond EOF.  */
-           len = (sb.st_size - offset);
-           len += qemu_real_host_page_size - 1;
-           len &= ~(qemu_real_host_page_size - 1);
+           len = REAL_HOST_PAGE_ALIGN(sb.st_size - offset);
       }
    }

--- a/main-loop.c
+++ b/main-loop.c
@ -230,7 +230,7 @@ static int os_host_main_loop_wait(int64_t timeout)
    if (!timeout && (spin_counter > MAX_MAIN_LOOP_SPIN)) {
        static bool notified;

-        if (!notified && !qtest_enabled()) {
+        if (!notified && !qtest_driver()) {
            fprintf(stderr,
                    "main-loop: WARNING: I/O thread spun for %d iterations\n",
                    MAX_MAIN_LOOP_SPIN);
--- a/qemu-char.c
+++ b/qemu-char.c
@ -1241,11 +1241,16 @@ static void pty_chr_update_read_handler_locked(CharDriverState *chr)
 {
    PtyCharDriver *s = chr->opaque;
    GPollFD pfd;
+    int rc;

    pfd.fd = g_io_channel_unix_get_fd(s->fd);
    pfd.events = G_IO_OUT;
    pfd.revents = 0;
-    g_poll(&pfd, 1, 0);
+    do {
+        rc = g_poll(&pfd, 1, 0);
+    } while (rc == -1 && errno == EINTR);
+    assert(rc >= 0);
+
    if (pfd.revents & G_IO_HUP) {
        pty_chr_state(chr, 0);
    } else {
--- a/stubs/qtest.c
+++ b/stubs/qtest.c
@ -12,3 +12,8 @@

 /* Needed for qtest_allowed() */
 bool qtest_allowed;
+
+bool qtest_driver(void)
+{
+    return false;
+}
--- a/translate-all.c
+++ b/translate-all.c
@ -118,7 +118,7 @@ typedef struct PageDesc {
 #define V_L1_SHIFT (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - V_L1_BITS)

 uintptr_t qemu_host_page_size;
-uintptr_t qemu_host_page_mask;
+intptr_t qemu_host_page_mask;

 /* The bottom level has pointers to PageDesc */
 static void *l1_map[V_L1_SIZE];
@ -326,14 +326,14 @@ void page_size_init(void)
    /* NOTE: we can always suppose that qemu_host_page_size >=
       TARGET_PAGE_SIZE */
    qemu_real_host_page_size = getpagesize();
-    qemu_real_host_page_mask = ~(qemu_real_host_page_size - 1);
+    qemu_real_host_page_mask = -(intptr_t)qemu_real_host_page_size;
    if (qemu_host_page_size == 0) {
        qemu_host_page_size = qemu_real_host_page_size;
    }
    if (qemu_host_page_size < TARGET_PAGE_SIZE) {
        qemu_host_page_size = TARGET_PAGE_SIZE;
    }
-    qemu_host_page_mask = ~(qemu_host_page_size - 1);
+    qemu_host_page_mask = -(intptr_t)qemu_host_page_size;
 }

 static void page_init(void)
--- a/translate-common.c
+++ b/translate-common.c
@ -21,7 +21,7 @@
 #include "qom/cpu.h"

 uintptr_t qemu_real_host_page_size;
-uintptr_t qemu_real_host_page_mask;
+intptr_t qemu_real_host_page_mask;

 #ifndef CONFIG_USER_ONLY
 /* mask must never be zero, except for A20 change call */