From 07c499baed0c800e43cd6ec867fc465dea43567d Mon Sep 17 00:00:00 2001

From: Markus Armbruster <armbru@redhat.com>

Date: Mon, 7 Oct 2019 07:35:08 +0100

Subject: [PATCH 15/22] fw_cfg: Fix -boot reboot-timeout error checking

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Markus Armbruster <armbru@redhat.com>

Message-id: <20191007073509.5887-4-armbru@redhat.com>

Patchwork-id: 90979

O-Subject: [RHEL-8.2.0 qemu-kvm PATCH v2 3/4] fw_cfg: Fix -boot reboot-timeout error checking

Bugzilla: 1607367

RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>

RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>

RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

From: Li Qiang <liq3ea@gmail.com>

fw_cfg_reboot() gets option parameter "reboot-timeout" with

qemu_opt_get(), then converts it to an integer by hand. It neglects to

check that conversion for errors, and fails to reject negative values.

Positive values above the limit get reported and replaced by the limit.

This patch checks for conversion errors properly, and reject all values

outside 0...0xffff.

Signed-off-by: Li Qiang <liq3ea@gmail.com>

Reviewed-by: Markus Armbruster <armbru@redhat.com>

Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Message-Id: <1542777026-2788-3-git-send-email-liq3ea@gmail.com>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

(cherry picked from commit ee5d0f89de3e53cdb0dcf51acc1502b310ed3bd2)

Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>

---

 hw/nvram/fw_cfg.c | 27 +++++++++++++--------------

 vl.c              |  2 +-

 2 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c

index d7185ea..02ab458 100644

--- a/hw/nvram/fw_cfg.c

+++ b/hw/nvram/fw_cfg.c

@@ -176,26 +176,25 @@ static void fw_cfg_bootsplash(FWCfgState *s)

 static void fw_cfg_reboot(FWCfgState *s)

 {

-    int reboot_timeout = -1;

-    char *p;

-    const char *temp;

+    const char *reboot_timeout = NULL;

+    int64_t rt_val = -1;

     /* get user configuration */

     QemuOptsList *plist = qemu_find_opts("boot-opts");

     QemuOpts *opts = QTAILQ_FIRST(&plist->head);

-    if (opts != NULL) {

-        temp = qemu_opt_get(opts, "reboot-timeout");

-        if (temp != NULL) {

-            p = (char *)temp;

-            reboot_timeout = strtol(p, &p, 10);

+    reboot_timeout = qemu_opt_get(opts, "reboot-timeout");

+

+    if (reboot_timeout) {

+        rt_val = qemu_opt_get_number(opts, "reboot-timeout", -1);

+        /* validate the input */

+        if (rt_val < 0 || rt_val > 0xffff) {

+            error_report("reboot timeout is invalid,"

+                         "it should be a value between 0 and 65535");

+            exit(1);

         }

     }

-    /* validate the input */

-    if (reboot_timeout > 0xffff) {

-        error_report("reboot timeout is larger than 65535, force it to 65535.");

-        reboot_timeout = 0xffff;

-    }

-    fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup(&reboot_timeout, 4), 4);

+

+    fw_cfg_add_file(s, "etc/boot-fail-wait", g_memdup(&rt_val, 4), 4);

 }

 static void fw_cfg_write(FWCfgState *s, uint8_t value)

diff --git a/vl.c b/vl.c

index e2212f5..3cee95f 100644

--- a/vl.c

+++ b/vl.c

@@ -367,7 +367,7 @@ static QemuOptsList qemu_boot_opts = {

             .type = QEMU_OPT_NUMBER,

         }, {

             .name = "reboot-timeout",

-            .type = QEMU_OPT_STRING,

+            .type = QEMU_OPT_NUMBER,

         }, {

             .name = "strict",

             .type = QEMU_OPT_BOOL,

-- 

1.8.3.1