qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-8.1] hw/rdma/vmw/pvrdma_cmd: Use correct struct in query_

From: Michael Tokarev
Subject: Re: [PATCH for-8.1] hw/rdma/vmw/pvrdma_cmd: Use correct struct in query_port()
Date: Sat, 23 Sep 2023 18:15:17 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 
22.09.2023 18:05, Thomas Huth wrote:


Reviewed-by: Thomas Huth <thuth@redhat.com>

Maybe this could go via qemu-trivial?

On 12/09/2023 16.08, Peter Maydell wrote:

Ping^2 for review/pickup by the rdma folks, please?


Is anybody still using this subsystem? ... if not, then it's maybe time to set 
this on the deprecation list? ... just my 0.02 €.


I applied this to my trivial-patches tree for now.

There were several security issues in this area, I think
one of them is still open with a patch posted to the list
but no one were able to review it because the code is rather
scary (iirc it was Phil who tried to review it but failed).

Here's what I have in debian for quite some time:

 # pvrdma is an extension/optimisation for vmxnet3 vmware virtual network
 # adapter. This piece of code seems to be buggy and poorly maintained,
 # resulting in numerous security issues which comes unfixed for long time.
 # This device isn't native for qemu.  # Just disable it for now.
 common_configure_opts += --disable-pvrdma

So yes, it smells like deprecating it is a way to go.

FWIW.

/mjt


On Tue, 29 Aug 2023 at 16:49, Peter Maydell <peter.maydell@linaro.org> wrote:


On Tue, 25 Jul 2023 at 12:36, Peter Maydell <peter.maydell@linaro.org> wrote:


In query_port() we pass the address of a local pvrdma_port_attr
struct to the rdma_query_backend_port() function.  Unfortunately,
rdma_backend_query_port() wants a pointer to a struct ibv_port_attr,
and the two are not the same length.

Coverity spotted this (CID 1507146): pvrdma_port_attr is 48 bytes
long, and ibv_port_attr is 52 bytes, because it has a few extra
fields at the end.

Fortunately, all we do with the attrs struct after the call is to
read a few specific fields out of it which are all at the same
offsets in both structs, so we can simply make the local variable the
correct type.  This also lets us drop the cast (which should have
been a bit of a warning flag that we were doing something wrong
here).

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
I don't know anything about the rdma code so this fix is based
purely on looking at the code, and is untested beyond just
make check/make check-avocado.
---
  hw/rdma/vmw/pvrdma_cmd.c | 5 ++---
  1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index c6ed0259821..d31c1875938 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -129,14 +129,13 @@ static int query_port(PVRDMADev *dev, union 
pvrdma_cmd_req *req,
  {
      struct pvrdma_cmd_query_port *cmd = &req->query_port;
      struct pvrdma_cmd_query_port_resp *resp = &rsp->query_port_resp;
-    struct pvrdma_port_attr attrs = {};
+    struct ibv_port_attr attrs = {};

      if (cmd->port_num > MAX_PORTS) {
          return -EINVAL;
      }

-    if (rdma_backend_query_port(&dev->backend_dev,
-                                (struct ibv_port_attr *)&attrs)) {
+    if (rdma_backend_query_port(&dev->backend_dev, &attrs)) {
          return -ENOMEM;
      }


Ping for review/testing by the rdma folks, please ?
Whose tree should this patch go through?
reply via email to
[Prev in Thread] Current Thread [Next in Thread]