|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-xen master] block/nbd: fix segmentation fault when .desc is not null-terminated
commit b9da3c1de7829a982685029222482cc5914638f4
Author: Murilo Opsfelder Araujo <muriloo@xxxxxxxxxxxxxxxxxx>
AuthorDate: Fri Jan 5 11:32:41 2018 -0200
Commit: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
CommitDate: Tue Jan 9 10:41:11 2018 -0600
block/nbd: fix segmentation fault when .desc is not null-terminated
The find_desc_by_name() from util/qemu-option.c relies on the .name not
being
NULL to call strcmp(). This check becomes unsafe when the list is not
NULL-terminated, which is the case of nbd_runtime_opts in block/nbd.c, and
can
result in segmentation fault when strcmp() tries to access an invalid
memory:
#0 0x00007fff8c75f7d4 in __strcmp_power9 () from /lib64/libc.so.6
#1 0x00000000102d3ec8 in find_desc_by_name (desc=0x1036d6f0,
name=0x28e46670 "server.path") at util/qemu-option.c:166
#2 0x00000000102d93e0 in qemu_opts_absorb_qdict (opts=0x28e47a80,
qdict=0x28e469a0, errp=0x7fffec247c98) at util/qemu-option.c:1026
#3 0x000000001012a2e4 in nbd_open (bs=0x28e42290, options=0x28e469a0,
flags=24578, errp=0x7fffec247d80) at block/nbd.c:406
#4 0x00000000100144e8 in bdrv_open_driver (bs=0x28e42290,
drv=0x1036e070 <bdrv_nbd_unix>, node_name=0x0, options=0x28e469a0,
open_flags=24578, errp=0x7fffec247f50) at block.c:1135
#5 0x0000000010015b04 in bdrv_open_common (bs=0x28e42290, file=0x0,
options=0x28e469a0, errp=0x7fffec247f50) at block.c:1395
>From gdb, the desc[i].name was not NULL and resulted in strcmp() accessing
an
invalid memory:
>>> p desc[5]
$8 = {
name = 0x1037f098 "R27A",
type = 1561964883,
help = 0xc0bbb23e <error: Cannot access memory at address 0xc0bbb23e>,
def_value_str = 0x2 <error: Cannot access memory at address 0x2>
}
>>> p desc[6]
$9 = {
name = 0x103dac78 <__gcov0.do_qemu_init_bdrv_nbd_init> "\001",
type = 272101528,
help = 0x29ec0b754403e31f <error: Cannot access memory at address
0x29ec0b754403e31f>,
def_value_str = 0x81f343b9 <error: Cannot access memory at address
0x81f343b9>
}
This patch fixes the segmentation fault in strcmp() by adding a NULL
element at
the end of nbd_runtime_opts.desc list, which is the common practice to most
of
other structs like runtime_opts in block/null.c. Thus, the desc[i].name !=
NULL
check becomes safe because it will not evaluate to true when .desc list
reached
its end.
Reported-by: R. Nageswara Sastry <nasastry@xxxxxxxxxx>
Buglink: https://bugs.launchpad.net/qemu/+bug/1727259
Signed-off-by: Murilo Opsfelder Araujo <muriloo@xxxxxxxxxxxxxxxxxx>
Message-Id: <20180105133241.14141-2-muriloo@xxxxxxxxxxxxxxxxxx>
CC: qemu-stable@xxxxxxxxxx
Fixes: 7ccc44fd7d1dfa62c4d6f3a680df809d6e7068ce
Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
(cherry picked from commit c4365735a7d38f4355c6f77e6670d3972315f7c2)
Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
---
block/nbd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/nbd.c b/block/nbd.c
index a50d24b..8b8ba56 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -388,6 +388,7 @@ static QemuOptsList nbd_runtime_opts = {
.type = QEMU_OPT_STRING,
.help = "ID of the TLS credentials to use",
},
+ { /* end of list */ }
},
};
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |