mirror of
				https://git.proxmox.com/git/qemu
				synced 2025-10-26 09:40:34 +00:00 
			
		
		
		
	 bbdd2ad081
			
		
	
	
		bbdd2ad081
		
	
	
	
	
		
			
			tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does not check if the fd it is using is valid (>= 0) before passing it to qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not initially connected, this can result in -1 being passed to FD_ISSET, which has undefined behaviour. On x86 it seems to harmlessly return 0, but on PowerPC, it causes a fortify buffer overflow error to be thrown. This patch fixes this by putting an extra test in tcp_chr_connect(), and also adds an assert qemu_set_fd_handler2() to catch other such errors on all platforms, rather than just some. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
		
			
				
	
	
		
			198 lines
		
	
	
		
			5.5 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			198 lines
		
	
	
		
			5.5 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  * QEMU System Emulator - managing I/O handler
 | |
|  *
 | |
|  * Copyright (c) 2003-2008 Fabrice Bellard
 | |
|  *
 | |
|  * Permission is hereby granted, free of charge, to any person obtaining a copy
 | |
|  * of this software and associated documentation files (the "Software"), to deal
 | |
|  * in the Software without restriction, including without limitation the rights
 | |
|  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 | |
|  * copies of the Software, and to permit persons to whom the Software is
 | |
|  * furnished to do so, subject to the following conditions:
 | |
|  *
 | |
|  * The above copyright notice and this permission notice shall be included in
 | |
|  * all copies or substantial portions of the Software.
 | |
|  *
 | |
|  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 | |
|  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 | |
|  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 | |
|  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 | |
|  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 | |
|  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 | |
|  * THE SOFTWARE.
 | |
|  */
 | |
| 
 | |
| #include "config-host.h"
 | |
| #include "qemu-common.h"
 | |
| #include "qemu-char.h"
 | |
| #include "qemu-queue.h"
 | |
| #include "main-loop.h"
 | |
| 
 | |
| #ifndef _WIN32
 | |
| #include <sys/wait.h>
 | |
| #endif
 | |
| 
 | |
| typedef struct IOHandlerRecord {
 | |
|     IOCanReadHandler *fd_read_poll;
 | |
|     IOHandler *fd_read;
 | |
|     IOHandler *fd_write;
 | |
|     void *opaque;
 | |
|     QLIST_ENTRY(IOHandlerRecord) next;
 | |
|     int fd;
 | |
|     bool deleted;
 | |
| } IOHandlerRecord;
 | |
| 
 | |
| static QLIST_HEAD(, IOHandlerRecord) io_handlers =
 | |
|     QLIST_HEAD_INITIALIZER(io_handlers);
 | |
| 
 | |
| 
 | |
| /* XXX: fd_read_poll should be suppressed, but an API change is
 | |
|    necessary in the character devices to suppress fd_can_read(). */
 | |
| int qemu_set_fd_handler2(int fd,
 | |
|                          IOCanReadHandler *fd_read_poll,
 | |
|                          IOHandler *fd_read,
 | |
|                          IOHandler *fd_write,
 | |
|                          void *opaque)
 | |
| {
 | |
|     IOHandlerRecord *ioh;
 | |
| 
 | |
|     assert(fd >= 0);
 | |
| 
 | |
|     if (!fd_read && !fd_write) {
 | |
|         QLIST_FOREACH(ioh, &io_handlers, next) {
 | |
|             if (ioh->fd == fd) {
 | |
|                 ioh->deleted = 1;
 | |
|                 break;
 | |
|             }
 | |
|         }
 | |
|     } else {
 | |
|         QLIST_FOREACH(ioh, &io_handlers, next) {
 | |
|             if (ioh->fd == fd)
 | |
|                 goto found;
 | |
|         }
 | |
|         ioh = g_malloc0(sizeof(IOHandlerRecord));
 | |
|         QLIST_INSERT_HEAD(&io_handlers, ioh, next);
 | |
|     found:
 | |
|         ioh->fd = fd;
 | |
|         ioh->fd_read_poll = fd_read_poll;
 | |
|         ioh->fd_read = fd_read;
 | |
|         ioh->fd_write = fd_write;
 | |
|         ioh->opaque = opaque;
 | |
|         ioh->deleted = 0;
 | |
|         qemu_notify_event();
 | |
|     }
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| int qemu_set_fd_handler(int fd,
 | |
|                         IOHandler *fd_read,
 | |
|                         IOHandler *fd_write,
 | |
|                         void *opaque)
 | |
| {
 | |
|     return qemu_set_fd_handler2(fd, NULL, fd_read, fd_write, opaque);
 | |
| }
 | |
| 
 | |
| void qemu_iohandler_fill(int *pnfds, fd_set *readfds, fd_set *writefds, fd_set *xfds)
 | |
| {
 | |
|     IOHandlerRecord *ioh;
 | |
| 
 | |
|     QLIST_FOREACH(ioh, &io_handlers, next) {
 | |
|         if (ioh->deleted)
 | |
|             continue;
 | |
|         if (ioh->fd_read &&
 | |
|             (!ioh->fd_read_poll ||
 | |
|              ioh->fd_read_poll(ioh->opaque) != 0)) {
 | |
|             FD_SET(ioh->fd, readfds);
 | |
|             if (ioh->fd > *pnfds)
 | |
|                 *pnfds = ioh->fd;
 | |
|         }
 | |
|         if (ioh->fd_write) {
 | |
|             FD_SET(ioh->fd, writefds);
 | |
|             if (ioh->fd > *pnfds)
 | |
|                 *pnfds = ioh->fd;
 | |
|         }
 | |
|     }
 | |
| }
 | |
| 
 | |
| void qemu_iohandler_poll(fd_set *readfds, fd_set *writefds, fd_set *xfds, int ret)
 | |
| {
 | |
|     if (ret > 0) {
 | |
|         IOHandlerRecord *pioh, *ioh;
 | |
| 
 | |
|         QLIST_FOREACH_SAFE(ioh, &io_handlers, next, pioh) {
 | |
|             if (!ioh->deleted && ioh->fd_read && FD_ISSET(ioh->fd, readfds)) {
 | |
|                 ioh->fd_read(ioh->opaque);
 | |
|             }
 | |
|             if (!ioh->deleted && ioh->fd_write && FD_ISSET(ioh->fd, writefds)) {
 | |
|                 ioh->fd_write(ioh->opaque);
 | |
|             }
 | |
| 
 | |
|             /* Do this last in case read/write handlers marked it for deletion */
 | |
|             if (ioh->deleted) {
 | |
|                 QLIST_REMOVE(ioh, next);
 | |
|                 g_free(ioh);
 | |
|             }
 | |
|         }
 | |
|     }
 | |
| }
 | |
| 
 | |
| /* reaping of zombies.  right now we're not passing the status to
 | |
|    anyone, but it would be possible to add a callback.  */
 | |
| #ifndef _WIN32
 | |
| typedef struct ChildProcessRecord {
 | |
|     int pid;
 | |
|     QLIST_ENTRY(ChildProcessRecord) next;
 | |
| } ChildProcessRecord;
 | |
| 
 | |
| static QLIST_HEAD(, ChildProcessRecord) child_watches =
 | |
|     QLIST_HEAD_INITIALIZER(child_watches);
 | |
| 
 | |
| static QEMUBH *sigchld_bh;
 | |
| 
 | |
| static void sigchld_handler(int signal)
 | |
| {
 | |
|     qemu_bh_schedule(sigchld_bh);
 | |
| }
 | |
| 
 | |
| static void sigchld_bh_handler(void *opaque)
 | |
| {
 | |
|     ChildProcessRecord *rec, *next;
 | |
| 
 | |
|     QLIST_FOREACH_SAFE(rec, &child_watches, next, next) {
 | |
|         if (waitpid(rec->pid, NULL, WNOHANG) == rec->pid) {
 | |
|             QLIST_REMOVE(rec, next);
 | |
|             g_free(rec);
 | |
|         }
 | |
|     }
 | |
| }
 | |
| 
 | |
| static void qemu_init_child_watch(void)
 | |
| {
 | |
|     struct sigaction act;
 | |
|     sigchld_bh = qemu_bh_new(sigchld_bh_handler, NULL);
 | |
| 
 | |
|     act.sa_handler = sigchld_handler;
 | |
|     act.sa_flags = SA_NOCLDSTOP;
 | |
|     sigaction(SIGCHLD, &act, NULL);
 | |
| }
 | |
| 
 | |
| int qemu_add_child_watch(pid_t pid)
 | |
| {
 | |
|     ChildProcessRecord *rec;
 | |
| 
 | |
|     if (!sigchld_bh) {
 | |
|         qemu_init_child_watch();
 | |
|     }
 | |
| 
 | |
|     QLIST_FOREACH(rec, &child_watches, next) {
 | |
|         if (rec->pid == pid) {
 | |
|             return 1;
 | |
|         }
 | |
|     }
 | |
|     rec = g_malloc0(sizeof(ChildProcessRecord));
 | |
|     rec->pid = pid;
 | |
|     QLIST_INSERT_HEAD(&child_watches, rec, next);
 | |
|     return 0;
 | |
| }
 | |
| #endif
 |