search for: check_len

...{ /* Fail if we don't have a big enough queue. */ @@ -303,10 +319,66 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align, return 0; } -static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) +static int virtio_ccw_handle_set_vq(SubchDev *sch, CCW1 ccw, bool check_len, + bool is_legacy) { int ret; VqInfoBlock info; + VqInfoBlockLegacy linfo; + size_t info_len = is_legacy ? sizeof(linfo) : sizeof(info); + + if (check_len) { + if (ccw.count != info_len) { + return -EINVAL; + } + } e...

...{ /* Fail if we don't have a big enough queue. */ @@ -303,10 +319,66 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align, return 0; } -static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) +static int virtio_ccw_handle_set_vq(SubchDev *sch, CCW1 ccw, bool check_len, + bool is_legacy) { int ret; VqInfoBlock info; + VqInfoBlockLegacy linfo; + size_t info_len = is_legacy ? sizeof(linfo) : sizeof(info); + + if (check_len) { + if (ccw.count != info_len) { + return -EINVAL; + } + } e...

...1, 2014 at 02:25:12PM +0100, Cornelia Huck wrote: > @@ -608,6 +631,25 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) > } > } > break; > + case CCW_CMD_SET_VIRTIO_REV: > + len = sizeof(revinfo); > + if (ccw.count < len || (check_len && ccw.count > len)) { > + ret = -EINVAL; > + break; > + } > + if (!ccw.cda) { > + ret = -EFAULT; > + break; > + } > + cpu_physical_memory_read(ccw.cda, &revinfo, len); > + if (d...

...1, 2014 at 02:25:12PM +0100, Cornelia Huck wrote: > @@ -608,6 +631,25 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) > } > } > break; > + case CCW_CMD_SET_VIRTIO_REV: > + len = sizeof(revinfo); > + if (ccw.count < len || (check_len && ccw.count > len)) { > + ret = -EINVAL; > + break; > + } > + if (!ccw.cda) { > + ret = -EFAULT; > + break; > + } > + cpu_physical_memory_read(ccw.cda, &revinfo, len); > + if (d...

Any user with shell access, or with access to upload a cgi script can exploit this to make machine thrash badly. Seems to circumvent any limits in the kernel Here are my settings dlai@whale.home.org:/home/dlai?limit cputime unlimited filesize 20000 kbytes datasize 8192 kbytes stacksize 8192 kbytes coredumpsize 1000000 kbytes memoryuse 8192 kbytes descriptors

...ff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c index d51642d..569ab26 100644 --- a/hw/s390x/virtio-ccw.c +++ b/hw/s390x/virtio-ccw.c @@ -525,6 +525,26 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) } } break; + case CCW_CMD_READ_STATUS: + if (check_len) { + if (ccw.count != sizeof(status)) { + ret = -EINVAL; + break; + } + } else if (ccw.count < sizeof(status)) { + /* Can't execute command. */ + ret = -EINVAL; + break; + } + if (!ccw.c...

...enter <dan.carpenter at oracle.com> diff --git a/drivers/vhost/tcm_vhost.c b/drivers/vhost/tcm_vhost.c index 29850cb..ea72198 100644 --- a/drivers/vhost/tcm_vhost.c +++ b/drivers/vhost/tcm_vhost.c @@ -1424,7 +1424,7 @@ static struct se_wwn *tcm_vhost_make_tport( return ERR_PTR(-EINVAL); check_len: - if (strlen(name) > TCM_VHOST_NAMELEN) { + if (strlen(name) >= TCM_VHOST_NAMELEN) { pr_err("Emulated %s Address: %s, exceeds" " max: %d\n", name, tcm_vhost_dump_proto_id(tport), TCM_VHOST_NAMELEN);

...enter <dan.carpenter at oracle.com> diff --git a/drivers/vhost/tcm_vhost.c b/drivers/vhost/tcm_vhost.c index 29850cb..ea72198 100644 --- a/drivers/vhost/tcm_vhost.c +++ b/drivers/vhost/tcm_vhost.c @@ -1424,7 +1424,7 @@ static struct se_wwn *tcm_vhost_make_tport( return ERR_PTR(-EINVAL); check_len: - if (strlen(name) > TCM_VHOST_NAMELEN) { + if (strlen(name) >= TCM_VHOST_NAMELEN) { pr_err("Emulated %s Address: %s, exceeds" " max: %d\n", name, tcm_vhost_dump_proto_id(tport), TCM_VHOST_NAMELEN);

These patches implement the new read status command in qemu and bump the revision to 2 (as this ccw is currently the only thing new with that revision). Patches are on top of v2 of "virtio-1/virtio-ccw related patches". Pierre Morel (2): s390x/virtio-ccw: respond to READ_STATUS command s390x/virtio-ccw: set revision 2 as maximum revision number hw/s390x/virtio-ccw.c | 20

These patches implement the new read status command in qemu and bump the revision to 2 (as this ccw is currently the only thing new with that revision). Patches are on top of v2 of "virtio-1/virtio-ccw related patches". Pierre Morel (2): s390x/virtio-ccw: respond to READ_STATUS command s390x/virtio-ccw: set revision 2 as maximum revision number hw/s390x/virtio-ccw.c | 20

These patches implement the new read status command in qemu and bump the revision to 2 (as this ccw is currently the only thing new with that revision); see "[PATCH v2 1/1] ccw: add CCW_CMD_READ_STATUS" for details. Note that we'll need to add some compat machine handling when this is added (not done here, as the machine level is not clear yet). Changes from the RFC (back in

These patches implement the new read status command in qemu and bump the revision to 2 (as this ccw is currently the only thing new with that revision); see "[PATCH v2 1/1] ccw: add CCW_CMD_READ_STATUS" for details. Note that we'll need to add some compat machine handling when this is added (not done here, as the machine level is not clear yet). Changes from the RFC (back in

...08,6 +631,25 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) > > > } > > > } > > > break; > > > + case CCW_CMD_SET_VIRTIO_REV: > > > + len = sizeof(revinfo); > > > + if (ccw.count < len || (check_len && ccw.count > len)) { > > > + ret = -EINVAL; > > > + break; > > > + } > > > + if (!ccw.cda) { > > > + ret = -EFAULT; > > > + break; > > > + } > > > +...

...08,6 +631,25 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) > > > } > > > } > > > break; > > > + case CCW_CMD_SET_VIRTIO_REV: > > > + len = sizeof(revinfo); > > > + if (ccw.count < len || (check_len && ccw.count > len)) { > > > + ret = -EINVAL; > > > + break; > > > + } > > > + if (!ccw.cda) { > > > + ret = -EFAULT; > > > + break; > > > + } > > > +...

...+ +open Unix +open Printf +let (//) = Filename.concat + +let () = + let h = Hivex.open_file ("../images/large") [] in + let (data_off, data_len) = Hivex.value_data_cell_offset h (Obj.magic 297680:Hivex.value) in + let check_off = assert (data_off == (Obj.magic 0:Hivex.value)) in + let check_len = assert (data_len == 0) in + printf "Offset and length of value data for value metadata at offset 297680 is %d, %d.\n" (Obj.magic data_off:int) (Obj.magic data_len:int); + + Hivex.close h; + + (* Gc.compact is a good way to ensure we don't have + * heap corruption or double-free...

...fo; + /* Specify where the virtqueues for the subchannel are in guest memory. */ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align, uint16_t index, uint16_t num) @@ -149,6 +156,7 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) bool check_len; int len; hwaddr hw_len; + VirtioThinintInfo *thinint; if (!dev) { return -EINVAL; @@ -328,6 +336,11 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) ret = -EINVAL; break; } + if (sch->thinint_active) { + /* Tr...

...fo; + /* Specify where the virtqueues for the subchannel are in guest memory. */ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align, uint16_t index, uint16_t num) @@ -232,6 +239,7 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) bool check_len; int len; hwaddr hw_len; + VirtioThinintInfo *thinint; if (!dev) { return -EINVAL; @@ -418,6 +426,11 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw) ret = -EINVAL; break; } + if (sch->thinint_active) { + /* Tr...

Hi, here's the qemu patch that implements the new adapter indicators ccw in virtio-ccw and injects adapter interrupts for the devices enabled for it. Cornelia Huck (1): s390/virtio-ccw: Adapter interrupt support. hw/s390x/css.c | 10 ++++++++ hw/s390x/css.h | 2 ++ hw/s390x/virtio-ccw.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++- hw/s390x/virtio-ccw.h |

Hi, here's the qemu patch that implements the new adapter indicators ccw in virtio-ccw and injects adapter interrupts for the devices enabled for it. Cornelia Huck (1): s390/virtio-ccw: Adapter interrupt support. hw/s390x/css.c | 10 ++++++++ hw/s390x/css.h | 2 ++ hw/s390x/virtio-ccw.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++- hw/s390x/virtio-ccw.h |

Hi, here's the current implementation of virtio-ccw adapter interrupts in qemu. Code is unchanged, only rebased against current master. Cornelia Huck (1): s390/virtio-ccw: Adapter interrupt support. hw/s390x/css.c | 10 ++++++++ hw/s390x/css.h | 2 ++ hw/s390x/virtio-ccw.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++- hw/s390x/virtio-ccw.h | 4 ++++