qemu/chardev-char-socket-Fix-TLS-io-channels-sending-too-.patch

From 2d0d05b7d5925f71d7ddd4df9f1ac12add453298 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Thu, 7 Mar 2024 10:39:23 +0800
Subject: [PATCH] chardev/char-socket: Fix TLS io channels sending too much
 data to the backend
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

cheery-pick from 462945cd22d2bcd233401ed3aa167d83a8e35b05

Commit ffda5db65a ("io/channel-tls: fix handling of bigger read buffers")
changed the behavior of the TLS io channels to schedule a second reading
attempt if there is still incoming data pending. This caused a regression
with backends like the sclpconsole that check in their read function that
the sender does not try to write more bytes to it than the device can
currently handle.

The problem can be reproduced like this:

 1) In one terminal, do this:

  mkdir qemu-pki
  cd qemu-pki
  openssl genrsa 2048 > ca-key.pem
  openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
  # enter some dummy value for the cert
  openssl genrsa 2048 > server-key.pem
  openssl req -new -x509 -nodes -days 365000 -key server-key.pem \
    -out server-cert.pem
  # enter some other dummy values for the cert

  gnutls-serv --echo --x509cafile ca-cert.pem --x509keyfile server-key.pem \
              --x509certfile server-cert.pem -p 8338

 2) In another terminal, do this:

  wget https://download.fedoraproject.org/pub/fedora-secondary/releases/39/Cloud/s390x/images/Fedora-Cloud-Base-39-1.5.s390x.qcow2

  qemu-system-s390x -nographic -nodefaults \
    -hda Fedora-Cloud-Base-39-1.5.s390x.qcow2 \
    -object tls-creds-x509,id=tls0,endpoint=client,verify-peer=false,dir=$PWD/qemu-pki \
    -chardev socket,id=tls_chardev,host=localhost,port=8338,tls-creds=tls0 \
    -device sclpconsole,chardev=tls_chardev,id=tls_serial

QEMU then aborts after a second or two with:

  qemu-system-s390x: ../hw/char/sclpconsole.c:73: chr_read: Assertion
   `size <= SIZE_BUFFER_VT220 - scon->iov_data_len' failed.
 Aborted (core dumped)

It looks like the second read does not trigger the chr_can_read() function
to be called before the second read, which should normally always be done
before sending bytes to a character device to see how much it can handle,
so the s->max_size in tcp_chr_read() still contains the old value from the
previous read. Let's make sure that we use the up-to-date value by calling
tcp_chr_read_poll() again here.

Fixes: ffda5db65a ("io/channel-tls: fix handling of bigger read buffers")
Buglink: https://issues.redhat.com/browse/RHEL-24614
Reviewed-by: "Daniel P. Berrangé" <berrange@redhat.com>
Message-ID: <20240229104339.42574-1-thuth@redhat.com>
Reviewed-by: Antoine Damhet <antoine.damhet@blade-group.com>
Tested-by: Antoine Damhet <antoine.damhet@blade-group.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
 chardev/char-socket.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index 73947da188..034840593d 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -492,9 +492,9 @@ static gboolean tcp_chr_read(QIOChannel *chan, GIOCondition cond, void *opaque)
         s->max_size <= 0) {
         return TRUE;
     }
-    len = sizeof(buf);
-    if (len > s->max_size) {
-        len = s->max_size;
+    len = tcp_chr_read_poll(opaque);
+    if (len > sizeof(buf)) {
+        len = sizeof(buf);
     }
     size = tcp_chr_recv(chr, (void *)buf, len);
     if (size == 0 || (size == -1 && errno != EAGAIN)) {
-- 
2.27.0
QEMU update to version 8.2.0-2 - block: bugfix: Don't pause vm when NOSPACE EIO happened - block: enable cache mode of empty cdrom - block/mirror: fix file-system went to read-only after block-mirror - scsi-bus: fix incorrect call for blk_error_retry_reset_timeout() - scsi-bus: fix unmatched object_unref() - block: Add sanity check when setting retry parameters - block-backend: Stop retrying when draining - scsi-disk: Add support for retry on errors - scsi-bus: Refactor the code that retries requests - virtio_blk: Add support for retry on errors - block: Add error retry param setting - block-backend: Add timeout support for retry - block-backend: Enable retry action on errors - block-backend: Add device specific retry callback - block-backend: Introduce retry timer - qapi/block-core: Add retry option for error action - scsi: bugfix: fix division by zero - scsi: cdrom: Fix crash after remote cdrom detached - qemu-pr: fixed ioctl failed for multipath disk - scsi-disk: define props in scsi_block_disk to avoid memleaks - bugfix: fix possible memory leak - bugfix: fix some illegal memory access and memory leak - util/log: add CONFIG_DISABLE_QEMU_LOG macro - log: Add some logs on VM runtime path - bugfix: fix eventfds may double free when vm_id reused in ivshmem - hw/display/macfb: Fix missing ERRP_GUARD() in macfb_nubus_realize() - hw/cxl/cxl-host: Fix missing ERRP_GUARD() in cxl_fixed_memory_window_config() - qemu-img create: 'cache' paramter only use for reg file image - qemu-img: add qemu-img direct create - qemu-img block: set zero flags only when discard_zeros of the block supported - Revert "file-posix: Remove unused s->discard_zeroes" - pcie_sriov: Validate NumVFs (CVE-2024-26327) - hw/nvme: Use pcie_sriov_num_vfs() (CVE-2024-26328) - hw/acpi/cpu: Use CPUState typedef - target/i386/sev: Fix missing ERRP_GUARD() for error_prepend() - virtio-gpu: remove needless condition - hw/i2c/smbus_slave: Add object path on error prints - vfio/pci: Ascend710 change to bar2 quirk - vfio/pci: Ascend910 need 4Bytes quirk in bar0 - vfio/pci: Ascend710 need 4Bytes quirk in bar0 - vfio/pci: Ascend310 need 4Bytes quirk in bar4 - chardev/char-socket: Fix TLS io channels sending too much data to the backend - i386/cpuid: Move leaf 7 to correct group - i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F - i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs - i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available - blkio: Respect memory-alignment for bounce buffer allocations - virtio-gpu: Correct virgl_renderer_resource_get_info() error check - hw/usb: Style cleanup - tests/qemu-iotests: resolved the problem that the 108 test cases in the container fail Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit 404d45bf9147058a475a8031c454a6c8e0acc123) 2024-03-23 09:20:40 +08:00			`From 2d0d05b7d5925f71d7ddd4df9f1ac12add453298 Mon Sep 17 00:00:00 2001`
			`From: qihao <qihao_yewu@cmss.chinamobile.com>`
			`Date: Thu, 7 Mar 2024 10:39:23 +0800`
			`Subject: [PATCH] chardev/char-socket: Fix TLS io channels sending too much`
			`data to the backend`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`cheery-pick from 462945cd22d2bcd233401ed3aa167d83a8e35b05`

			`Commit ffda5db65a ("io/channel-tls: fix handling of bigger read buffers")`
			`changed the behavior of the TLS io channels to schedule a second reading`
			`attempt if there is still incoming data pending. This caused a regression`
			`with backends like the sclpconsole that check in their read function that`
			`the sender does not try to write more bytes to it than the device can`
			`currently handle.`

			`The problem can be reproduced like this:`

			`1) In one terminal, do this:`

			`mkdir qemu-pki`
			`cd qemu-pki`
			`openssl genrsa 2048 > ca-key.pem`
			`openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem`
			`# enter some dummy value for the cert`
			`openssl genrsa 2048 > server-key.pem`
			`openssl req -new -x509 -nodes -days 365000 -key server-key.pem \`
			`-out server-cert.pem`
			`# enter some other dummy values for the cert`

			`gnutls-serv --echo --x509cafile ca-cert.pem --x509keyfile server-key.pem \`
			`--x509certfile server-cert.pem -p 8338`

			`2) In another terminal, do this:`

			`wget https://download.fedoraproject.org/pub/fedora-secondary/releases/39/Cloud/s390x/images/Fedora-Cloud-Base-39-1.5.s390x.qcow2`

			`qemu-system-s390x -nographic -nodefaults \`
			`-hda Fedora-Cloud-Base-39-1.5.s390x.qcow2 \`
			`-object tls-creds-x509,id=tls0,endpoint=client,verify-peer=false,dir=$PWD/qemu-pki \`
			`-chardev socket,id=tls_chardev,host=localhost,port=8338,tls-creds=tls0 \`
			`-device sclpconsole,chardev=tls_chardev,id=tls_serial`

			`QEMU then aborts after a second or two with:`

			`qemu-system-s390x: ../hw/char/sclpconsole.c:73: chr_read: Assertion`
			`size <= SIZE_BUFFER_VT220 - scon->iov_data_len' failed.
			`Aborted (core dumped)`

			`It looks like the second read does not trigger the chr_can_read() function`
			`to be called before the second read, which should normally always be done`
			`before sending bytes to a character device to see how much it can handle,`
			`so the s->max_size in tcp_chr_read() still contains the old value from the`
			`previous read. Let's make sure that we use the up-to-date value by calling`
			`tcp_chr_read_poll() again here.`

			`Fixes: ffda5db65a ("io/channel-tls: fix handling of bigger read buffers")`
			`Buglink: https://issues.redhat.com/browse/RHEL-24614`
			`Reviewed-by: "Daniel P. Berrangé" <berrange@redhat.com>`
			`Message-ID: <20240229104339.42574-1-thuth@redhat.com>`
			`Reviewed-by: Antoine Damhet <antoine.damhet@blade-group.com>`
			`Tested-by: Antoine Damhet <antoine.damhet@blade-group.com>`
			`Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>`
			`Signed-off-by: Thomas Huth <thuth@redhat.com>`
			`Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>`
			`---`
			`chardev/char-socket.c \| 6 +++---`
			`1 file changed, 3 insertions(+), 3 deletions(-)`

			`diff --git a/chardev/char-socket.c b/chardev/char-socket.c`
			`index 73947da188..034840593d 100644`
			`--- a/chardev/char-socket.c`
			`+++ b/chardev/char-socket.c`
			`@@ -492,9 +492,9 @@ static gboolean tcp_chr_read(QIOChannel chan, GIOCondition cond, void opaque)`
			`s->max_size <= 0) {`
			`return TRUE;`
			`}`
			`- len = sizeof(buf);`
			`- if (len > s->max_size) {`
			`- len = s->max_size;`
			`+ len = tcp_chr_read_poll(opaque);`
			`+ if (len > sizeof(buf)) {`
			`+ len = sizeof(buf);`
			`}`
			`size = tcp_chr_recv(chr, (void *)buf, len);`
			`if (size == 0 \|\| (size == -1 && errno != EAGAIN)) {`
			`--`
			`2.27.0`