mirror of
https://github.com/qemu/qemu.git
synced 2024-12-21 19:23:33 +08:00
bbdd2ad081
tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does not check if the fd it is using is valid (>= 0) before passing it to qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not initially connected, this can result in -1 being passed to FD_ISSET, which has undefined behaviour. On x86 it seems to harmlessly return 0, but on PowerPC, it causes a fortify buffer overflow error to be thrown. This patch fixes this by putting an extra test in tcp_chr_connect(), and also adds an assert qemu_set_fd_handler2() to catch other such errors on all platforms, rather than just some. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
198 lines
5.5 KiB
C
198 lines
5.5 KiB
C
/*
|
|
* QEMU System Emulator - managing I/O handler
|
|
*
|
|
* Copyright (c) 2003-2008 Fabrice Bellard
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
* in the Software without restriction, including without limitation the rights
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in
|
|
* all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
|
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
* THE SOFTWARE.
|
|
*/
|
|
|
|
#include "config-host.h"
|
|
#include "qemu-common.h"
|
|
#include "qemu-char.h"
|
|
#include "qemu-queue.h"
|
|
#include "main-loop.h"
|
|
|
|
#ifndef _WIN32
|
|
#include <sys/wait.h>
|
|
#endif
|
|
|
|
typedef struct IOHandlerRecord {
|
|
IOCanReadHandler *fd_read_poll;
|
|
IOHandler *fd_read;
|
|
IOHandler *fd_write;
|
|
void *opaque;
|
|
QLIST_ENTRY(IOHandlerRecord) next;
|
|
int fd;
|
|
bool deleted;
|
|
} IOHandlerRecord;
|
|
|
|
static QLIST_HEAD(, IOHandlerRecord) io_handlers =
|
|
QLIST_HEAD_INITIALIZER(io_handlers);
|
|
|
|
|
|
/* XXX: fd_read_poll should be suppressed, but an API change is
|
|
necessary in the character devices to suppress fd_can_read(). */
|
|
int qemu_set_fd_handler2(int fd,
|
|
IOCanReadHandler *fd_read_poll,
|
|
IOHandler *fd_read,
|
|
IOHandler *fd_write,
|
|
void *opaque)
|
|
{
|
|
IOHandlerRecord *ioh;
|
|
|
|
assert(fd >= 0);
|
|
|
|
if (!fd_read && !fd_write) {
|
|
QLIST_FOREACH(ioh, &io_handlers, next) {
|
|
if (ioh->fd == fd) {
|
|
ioh->deleted = 1;
|
|
break;
|
|
}
|
|
}
|
|
} else {
|
|
QLIST_FOREACH(ioh, &io_handlers, next) {
|
|
if (ioh->fd == fd)
|
|
goto found;
|
|
}
|
|
ioh = g_malloc0(sizeof(IOHandlerRecord));
|
|
QLIST_INSERT_HEAD(&io_handlers, ioh, next);
|
|
found:
|
|
ioh->fd = fd;
|
|
ioh->fd_read_poll = fd_read_poll;
|
|
ioh->fd_read = fd_read;
|
|
ioh->fd_write = fd_write;
|
|
ioh->opaque = opaque;
|
|
ioh->deleted = 0;
|
|
qemu_notify_event();
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
int qemu_set_fd_handler(int fd,
|
|
IOHandler *fd_read,
|
|
IOHandler *fd_write,
|
|
void *opaque)
|
|
{
|
|
return qemu_set_fd_handler2(fd, NULL, fd_read, fd_write, opaque);
|
|
}
|
|
|
|
void qemu_iohandler_fill(int *pnfds, fd_set *readfds, fd_set *writefds, fd_set *xfds)
|
|
{
|
|
IOHandlerRecord *ioh;
|
|
|
|
QLIST_FOREACH(ioh, &io_handlers, next) {
|
|
if (ioh->deleted)
|
|
continue;
|
|
if (ioh->fd_read &&
|
|
(!ioh->fd_read_poll ||
|
|
ioh->fd_read_poll(ioh->opaque) != 0)) {
|
|
FD_SET(ioh->fd, readfds);
|
|
if (ioh->fd > *pnfds)
|
|
*pnfds = ioh->fd;
|
|
}
|
|
if (ioh->fd_write) {
|
|
FD_SET(ioh->fd, writefds);
|
|
if (ioh->fd > *pnfds)
|
|
*pnfds = ioh->fd;
|
|
}
|
|
}
|
|
}
|
|
|
|
void qemu_iohandler_poll(fd_set *readfds, fd_set *writefds, fd_set *xfds, int ret)
|
|
{
|
|
if (ret > 0) {
|
|
IOHandlerRecord *pioh, *ioh;
|
|
|
|
QLIST_FOREACH_SAFE(ioh, &io_handlers, next, pioh) {
|
|
if (!ioh->deleted && ioh->fd_read && FD_ISSET(ioh->fd, readfds)) {
|
|
ioh->fd_read(ioh->opaque);
|
|
}
|
|
if (!ioh->deleted && ioh->fd_write && FD_ISSET(ioh->fd, writefds)) {
|
|
ioh->fd_write(ioh->opaque);
|
|
}
|
|
|
|
/* Do this last in case read/write handlers marked it for deletion */
|
|
if (ioh->deleted) {
|
|
QLIST_REMOVE(ioh, next);
|
|
g_free(ioh);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/* reaping of zombies. right now we're not passing the status to
|
|
anyone, but it would be possible to add a callback. */
|
|
#ifndef _WIN32
|
|
typedef struct ChildProcessRecord {
|
|
int pid;
|
|
QLIST_ENTRY(ChildProcessRecord) next;
|
|
} ChildProcessRecord;
|
|
|
|
static QLIST_HEAD(, ChildProcessRecord) child_watches =
|
|
QLIST_HEAD_INITIALIZER(child_watches);
|
|
|
|
static QEMUBH *sigchld_bh;
|
|
|
|
static void sigchld_handler(int signal)
|
|
{
|
|
qemu_bh_schedule(sigchld_bh);
|
|
}
|
|
|
|
static void sigchld_bh_handler(void *opaque)
|
|
{
|
|
ChildProcessRecord *rec, *next;
|
|
|
|
QLIST_FOREACH_SAFE(rec, &child_watches, next, next) {
|
|
if (waitpid(rec->pid, NULL, WNOHANG) == rec->pid) {
|
|
QLIST_REMOVE(rec, next);
|
|
g_free(rec);
|
|
}
|
|
}
|
|
}
|
|
|
|
static void qemu_init_child_watch(void)
|
|
{
|
|
struct sigaction act;
|
|
sigchld_bh = qemu_bh_new(sigchld_bh_handler, NULL);
|
|
|
|
act.sa_handler = sigchld_handler;
|
|
act.sa_flags = SA_NOCLDSTOP;
|
|
sigaction(SIGCHLD, &act, NULL);
|
|
}
|
|
|
|
int qemu_add_child_watch(pid_t pid)
|
|
{
|
|
ChildProcessRecord *rec;
|
|
|
|
if (!sigchld_bh) {
|
|
qemu_init_child_watch();
|
|
}
|
|
|
|
QLIST_FOREACH(rec, &child_watches, next) {
|
|
if (rec->pid == pid) {
|
|
return 1;
|
|
}
|
|
}
|
|
rec = g_malloc0(sizeof(ChildProcessRecord));
|
|
rec->pid = pid;
|
|
QLIST_INSERT_HEAD(&child_watches, rec, next);
|
|
return 0;
|
|
}
|
|
#endif
|