QEMU

Xfer:features:read truncating xml sent to gdb frontends

Bug #1703147 reported by Duane Voth
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Expired
Undecided
Unassigned

Bug Description

Around line 1326 in gdbstub.c:

            if (len > (MAX_PACKET_LENGTH - 5) / 2)
                len = (MAX_PACKET_LENGTH - 5) / 2;

is truncating processor reg description xml files longer than 2045 bytes. Deleting these lines works for my immediate need, but they seem to be trying to fix some buffer overrun condition so I won't offer a patch until we understand their purpose.

Revision history for this message
Peter Maydell (pmaydell) wrote : Re: [Qemu-devel] [Bug 1703147] [NEW] Xfer:features:read truncating xml sent to gdb frontends

On 8 July 2017 at 22:19, Duane Voth <email address hidden> wrote:
> Around line 1326 in gdbstub.c:
>
> if (len > (MAX_PACKET_LENGTH - 5) / 2)
> len = (MAX_PACKET_LENGTH - 5) / 2;
>
> is truncating processor reg description xml files longer than 2045
> bytes. Deleting these lines works for my immediate need, but they seem
> to be trying to fix some buffer overrun condition so I won't offer a
> patch until we understand their purpose.

Those lines prevent the packet we're constructing overrunning
the buf[] array (in the worst case the packet encoding could
use 2 bytes of buffer for every byte of payload). It's probably
working for you without them because (a) the XML payload doesn't
come near the worst-case and (b) buf[] is followed on the stack
by mem_buf[] which happens to be unused here so overrunning into
it has no visible harmful effects.

Truncating the XML is clearly not what we want though so we
should do something more intelligent...

thanks
-- PMM

Revision history for this message
Thomas Huth (th-huth) wrote :

The QEMU project is currently considering to move its bug tracking to
another system. For this we need to know which bugs are still valid
and which could be closed already. Thus we are setting older bugs to
"Incomplete" now.

If you still think this bug report here is valid, then please switch
the state back to "New" within the next 60 days, otherwise this report
will be marked as "Expired". Or please mark it as "Fix Released" if
the problem has been solved with a newer version of QEMU already.

Thank you and sorry for the inconvenience.

Changed in qemu:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for QEMU because there has been no activity for 60 days.]

Changed in qemu:
status: Incomplete → Expired
Revision history for this message
Duane Voth (duanev) wrote :

Problematic code now around lines 2221 (in handle_query_xfer_features) ... lol I'm the only one impacted ... all the large register set cpus can be affected.

Changed in qemu:
status: Expired → New
Revision history for this message
Thomas Huth (th-huth) wrote : Moved bug report

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/458

Changed in qemu:
status: New → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.