From nobody Thu May 15 22:55:41 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1501545943101848.0927019868682;
 Mon, 31 Jul 2017 17:05:43 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 28ADFC1D666E;
	Tue,  1 Aug 2017 00:05:41 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id EA3C060CA5;
	Tue,  1 Aug 2017 00:05:40 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id A12A8180597A;
	Tue,  1 Aug 2017 00:05:40 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
	[10.5.11.16])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v7105Em0013865 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 31 Jul 2017 20:05:14 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 5993D6376C; Tue,  1 Aug 2017 00:05:14 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-117-46.phx2.redhat.com
	[10.3.117.46])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 1FB1F63767
	for <libvir-list@redhat.com>; Tue,  1 Aug 2017 00:05:14 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 28ADFC1D666E
Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com;
 spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Mon, 31 Jul 2017 20:05:07 -0400
Message-Id: <20170801000508.14341-8-jferlan@redhat.com>
In-Reply-To: <20170801000508.14341-1-jferlan@redhat.com>
References: <20170801000508.14341-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v2 7/8] util: Add magic number check for object
	validity
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]);
 Tue, 01 Aug 2017 00:05:41 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

The virObjectIsClass API has only ever checked object validity
based on if the @obj is not NULL and it was derived from some class.
While this has worked well in general, there is one additional
check that could be made prior to calling virClassIsDerivedFrom
which loops through the classes checking the magic number against
the klass expected magic number.

If by chance a non virObject is passed, rather than assuming the
void * @obj is a _virObject and thus offsetting to obj->klass,
obj->magic, and obj->parent, let's check that the void * @obj
has at least the "base part" of the magic number in the right
place and generate a more specific VIR_WARN message if not.

There are many consumers to virObjectIsClass, include the locking
primitives virObject{Lock|Unlock}, virObjectRWLock{Read|Write},
and virObjectRWUnlock. For those callers, the locking call will
not fail, but it also will not attempt a virMutex* call which
will "most likely" fail since the &obj->lock is used.

In order to avoid some possible future wrap on the 0xCAFExxxx
value, add a check during initialization that some new class
won't cause the wrap. Should be good for a few years at least!

It is still left up to the caller to handle the failed API calls
just as it would be if it passed a NULL opaque pointer anyobj.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/util/virobject.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/src/util/virobject.c b/src/util/virobject.c
index af3f252..54d78b0 100644
--- a/src/util/virobject.c
+++ b/src/util/virobject.c
@@ -47,14 +47,21 @@ struct _virClass {
     virObjectDisposeCallback dispose;
 };
=20
+#define VIR_OBJECT_NOTVALID(obj) (!obj || ((obj->u.s.magic & 0xFFFF0000) !=
=3D 0xCAFE0000))
+
 #define VIR_OBJECT_USAGE_PRINT_WARNING(anyobj, objclass)                  =
  \
     do {                                                                  =
  \
         virObjectPtr obj =3D anyobj;                                      =
    \
-        if (!obj)                                                         =
  \
-            VIR_WARN("Object cannot be NULL");                            =
  \
-        else                                                              =
  \
+        if (VIR_OBJECT_NOTVALID(obj)) {                                   =
  \
+            if (!obj)                                                     =
  \
+                VIR_WARN("Object cannot be NULL");                        =
  \
+            else                                                          =
  \
+                VIR_WARN("Object %p has a bad magic number %X",           =
  \
+                         obj, obj->u.s.magic);                            =
  \
+        } else {                                                          =
  \
             VIR_WARN("Object %p (%s) is not a %s instance",               =
  \
                       anyobj, obj->klass->name, #objclass);               =
  \
+        }                                                                 =
  \
     } while (0)
=20
=20
@@ -177,9 +184,14 @@ virClassNew(virClassPtr parent,
         goto error;
=20
     klass->parent =3D parent;
+    klass->magic =3D virAtomicIntInc(&magicCounter);
+    if (klass->magic > 0xCAFEFFFF) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("too many object classes defined"));
+        goto error;
+    }
     if (VIR_STRDUP(klass->name, name) < 0)
         goto error;
-    klass->magic =3D virAtomicIntInc(&magicCounter);
     klass->objectSize =3D objectSize;
     klass->dispose =3D dispose;
=20
@@ -535,7 +547,7 @@ virObjectIsClass(void *anyobj,
                  virClassPtr klass)
 {
     virObjectPtr obj =3D anyobj;
-    if (!obj)
+    if (VIR_OBJECT_NOTVALID(obj))
         return false;
=20
     return virClassIsDerivedFrom(obj->klass, klass);
--=20
2.9.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list