[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[qemu-xen master] linux-user: Fix Coverity CID 1430271 / CID 1430272

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Fri, 30 Oct 2020 21:41:22 +0000
Delivery-date: Fri, 30 Oct 2020 21:41:24 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit 4c1850c130a31e6f3cc896a5ba5fb7a602540bc9
Author:     Laurent Vivier <laurent@xxxxxxxxx>
AuthorDate: Thu Jul 9 21:22:17 2020 +0200
Commit:     Laurent Vivier <laurent@xxxxxxxxx>
CommitDate: Mon Jul 13 21:22:08 2020 +0200

    linux-user: Fix Coverity CID 1430271 / CID 1430272
    
    In new functions print_ioctl() and print_syscall_ret_ioctl(), we don't
    check if lock_user() returns NULL and this would cause a segfault in
    thunk_print().
    
    If lock_user() returns NULL don't call thunk_print() but prints only the
    value of the (invalid) pointer.
    
    Tested with:
    
        # cat ioctl.c
        #include <unistd.h>
        #include <sys/ioctl.h>
    
        int main(void)
        {
            int ret;
    
            ret = ioctl(STDOUT_FILENO, TCGETS, 0xdeadbeef);
            ret = ioctl(STDOUT_FILENO, TCSETSF, 0xdeadbeef);
            return 0;
        }
        # QEMU_STRACE= ./ioctl
        ...
        578 ioctl(1,TCGETS,0xdeadbeef) = -1 errno=2 (Bad address)
        578 ioctl(1,TCSETSF,0xdeadbeef) = -1 errno=2 (Bad address)
        ...
        # QEMU_STRACE= passwd
        ...
        623 ioctl(0,TCGETS,0x3fffed04) = 0 ({})
        623 ioctl(0,TCSETSF,{}) = 0
        ...
    
    Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
    Fixes: 79482e5987c8 ("linux-user: Add strace support for printing arguments 
of ioctl()")
    Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
    Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
---
 linux-user/strace.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/linux-user/strace.c b/linux-user/strace.c
index 5235b2260c..39554d9039 100644
--- a/linux-user/strace.c
+++ b/linux-user/strace.c
@@ -889,8 +889,12 @@ print_syscall_ret_ioctl(const struct syscallname *name, 
abi_long ret,
             arg_type++;
             target_size = thunk_type_size(arg_type, 0);
             argptr = lock_user(VERIFY_READ, arg2, target_size, 1);
-            thunk_print(argptr, arg_type);
-            unlock_user(argptr, arg2, target_size);
+            if (argptr) {
+                thunk_print(argptr, arg_type);
+                unlock_user(argptr, arg2, target_size);
+            } else {
+                print_pointer(arg2, 1);
+            }
             qemu_log(")");
         }
     }
@@ -3119,8 +3123,12 @@ print_ioctl(const struct syscallname *name,
                     arg_type++;
                     target_size = thunk_type_size(arg_type, 0);
                     argptr = lock_user(VERIFY_READ, arg2, target_size, 1);
-                    thunk_print(argptr, arg_type);
-                    unlock_user(argptr, arg2, target_size);
+                    if (argptr) {
+                        thunk_print(argptr, arg_type);
+                        unlock_user(argptr, arg2, target_size);
+                    } else {
+                        print_pointer(arg2, 1);
+                    }
                     break;
                 }
                 break;
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#master

Prev by Date: [qemu-xen master] linux-user: refactor ipc syscall and support of semtimedop syscall
Next by Date: [qemu-xen master] linux-user: add new netlink types
Previous by thread: [qemu-xen master] linux-user: refactor ipc syscall and support of semtimedop syscall
Next by thread: [qemu-xen master] linux-user: add new netlink types
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.