From 22e4a267a6627e5b5b1b13bfc1b92445775704be Mon Sep 17 00:00:00 2001 From: Kan Li Date: Wed, 24 Oct 2018 20:13:03 +0000 Subject: Fix linux-user crashes in ioctl(SIOCGIFCONF) when ifc_buf is NULL. Summary: This is to fix bug https://bugs.launchpad.net/qemu/+bug/1796754. It is valid for ifc_buf to be NULL according to http://man7.org/linux/man-pages/man7/netdevice.7.html. Signed-off-by: Kan Li Reviewed-by: Laurent Vivier Message-Id: <20181024201303.114-1-likan_999.student@sina.com> [lv: fix errors reported by checkpatch.pl] Signed-off-by: Laurent Vivier --- linux-user/syscall.c | 56 +++++++++++++++++++++++++++++----------------------- 1 file changed, 31 insertions(+), 25 deletions(-) (limited to 'linux-user/syscall.c') diff --git a/linux-user/syscall.c b/linux-user/syscall.c index bf076cbf8c..08acc4d860 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -4187,28 +4187,33 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp, unlock_user(argptr, arg, 0); host_ifconf = (struct ifconf *)(unsigned long)buf_temp; - target_ifc_len = host_ifconf->ifc_len; target_ifc_buf = (abi_long)(unsigned long)host_ifconf->ifc_buf; - target_ifreq_size = thunk_type_size(ifreq_arg_type, 0); - nb_ifreq = target_ifc_len / target_ifreq_size; - host_ifc_len = nb_ifreq * sizeof(struct ifreq); - outbufsz = sizeof(*host_ifconf) + host_ifc_len; - if (outbufsz > MAX_STRUCT_SIZE) { - /* We can't fit all the extents into the fixed size buffer. - * Allocate one that is large enough and use it instead. - */ - host_ifconf = malloc(outbufsz); - if (!host_ifconf) { - return -TARGET_ENOMEM; + if (target_ifc_buf != 0) { + target_ifc_len = host_ifconf->ifc_len; + nb_ifreq = target_ifc_len / target_ifreq_size; + host_ifc_len = nb_ifreq * sizeof(struct ifreq); + + outbufsz = sizeof(*host_ifconf) + host_ifc_len; + if (outbufsz > MAX_STRUCT_SIZE) { + /* + * We can't fit all the extents into the fixed size buffer. + * Allocate one that is large enough and use it instead. + */ + host_ifconf = malloc(outbufsz); + if (!host_ifconf) { + return -TARGET_ENOMEM; + } + memcpy(host_ifconf, buf_temp, sizeof(*host_ifconf)); + free_buf = 1; } - memcpy(host_ifconf, buf_temp, sizeof(*host_ifconf)); - free_buf = 1; - } - host_ifc_buf = (char*)host_ifconf + sizeof(*host_ifconf); + host_ifc_buf = (char *)host_ifconf + sizeof(*host_ifconf); - host_ifconf->ifc_len = host_ifc_len; + host_ifconf->ifc_len = host_ifc_len; + } else { + host_ifc_buf = NULL; + } host_ifconf->ifc_buf = host_ifc_buf; ret = get_errno(safe_ioctl(fd, ie->host_cmd, host_ifconf)); @@ -4231,15 +4236,16 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp, thunk_convert(argptr, host_ifconf, arg_type, THUNK_TARGET); unlock_user(argptr, arg, target_size); - /* copy ifreq[] to target user */ - - argptr = lock_user(VERIFY_WRITE, target_ifc_buf, target_ifc_len, 0); - for (i = 0; i < nb_ifreq ; i++) { - thunk_convert(argptr + i * target_ifreq_size, - host_ifc_buf + i * sizeof(struct ifreq), - ifreq_arg_type, THUNK_TARGET); + if (target_ifc_buf != 0) { + /* copy ifreq[] to target user */ + argptr = lock_user(VERIFY_WRITE, target_ifc_buf, target_ifc_len, 0); + for (i = 0; i < nb_ifreq ; i++) { + thunk_convert(argptr + i * target_ifreq_size, + host_ifc_buf + i * sizeof(struct ifreq), + ifreq_arg_type, THUNK_TARGET); + } + unlock_user(argptr, target_ifc_buf, target_ifc_len); } - unlock_user(argptr, target_ifc_buf, target_ifc_len); } if (free_buf) { -- cgit v1.2.3-55-g7522 From 9d0bd0cdd011edf15949ecdf08c25d8385028983 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 5 Feb 2019 17:42:07 +0000 Subject: linux-user: Check sscanf return value in open_net_route() Coverity warns (CID 1390634) that open_net_route() is not checking the return value from sscanf(), which means that it might then use values that aren't initialized. Errors here should in general not happen since we're passing an assumed-good /proc/net/route from the host kernel, but if we do fail to parse a line then just skip it in the output we pass to the guest. Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Stefano Garzarella Reviewed-by: Laurent Vivier Message-Id: <20190205174207.9278-1-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/syscall.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'linux-user/syscall.c') diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 08acc4d860..5bbb72f3d5 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -6768,9 +6768,15 @@ static int open_net_route(void *cpu_env, int fd) char iface[16]; uint32_t dest, gw, mask; unsigned int flags, refcnt, use, metric, mtu, window, irtt; - sscanf(line, "%s\t%08x\t%08x\t%04x\t%d\t%d\t%d\t%08x\t%d\t%u\t%u\n", - iface, &dest, &gw, &flags, &refcnt, &use, &metric, - &mask, &mtu, &window, &irtt); + int fields; + + fields = sscanf(line, + "%s\t%08x\t%08x\t%04x\t%d\t%d\t%d\t%08x\t%d\t%u\t%u\n", + iface, &dest, &gw, &flags, &refcnt, &use, &metric, + &mask, &mtu, &window, &irtt); + if (fields != 11) { + continue; + } dprintf(fd, "%s\t%08x\t%08x\t%04x\t%d\t%d\t%d\t%08x\t%d\t%u\t%u\n", iface, tswap32(dest), tswap32(gw), flags, refcnt, use, metric, tswap32(mask), mtu, window, irtt); -- cgit v1.2.3-55-g7522