SYS-OSS/FRET-qemu
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix linux-user crashes in ioctl(SIOCGIFCONF) when ifc_buf is NULL.

Browse Source 
Summary:
This is to fix bug https://bugs.launchpad.net/qemu/+bug/1796754.
It is valid for ifc_buf to be NULL according to
http://man7.org/linux/man-pages/man7/netdevice.7.html.

Signed-off-by: Kan Li <likan_999.student@sina.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-Id: <20181024201303.114-1-likan_999.student@sina.com>
[lv: fix errors reported by checkpatch.pl]
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
This commit is contained in:
Kan Li 2018-10-24 20:13:03 +00:00 committed by Laurent Vivier
parent 47994e16b1
commit 22e4a267a6
1 changed files with 31 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
linux-user/syscall.c
View File

@ -4187,28 +4187,33 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp,
unlock_user(argptr, arg, 0); unlock_user(argptr, arg, 0);
host_ifconf = (struct ifconf *)(unsigned long)buf_temp; host_ifconf = (struct ifconf *)(unsigned long)buf_temp;
target_ifc_len = host_ifconf->ifc_len;
target_ifc_buf = (abi_long)(unsigned long)host_ifconf->ifc_buf; target_ifc_buf = (abi_long)(unsigned long)host_ifconf->ifc_buf;
target_ifreq_size = thunk_type_size(ifreq_arg_type, 0); target_ifreq_size = thunk_type_size(ifreq_arg_type, 0);
nb_ifreq = target_ifc_len / target_ifreq_size;
host_ifc_len = nb_ifreq * sizeof(struct ifreq);
outbufsz = sizeof(*host_ifconf) + host_ifc_len; if (target_ifc_buf != 0) {
if (outbufsz > MAX_STRUCT_SIZE) { target_ifc_len = host_ifconf->ifc_len;
/* We can't fit all the extents into the fixed size buffer. nb_ifreq = target_ifc_len / target_ifreq_size;
* Allocate one that is large enough and use it instead. host_ifc_len = nb_ifreq * sizeof(struct ifreq);
*/
host_ifconf = malloc(outbufsz); outbufsz = sizeof(*host_ifconf) + host_ifc_len;
if (!host_ifconf) { if (outbufsz > MAX_STRUCT_SIZE) {
return -TARGET_ENOMEM; /*
* We can't fit all the extents into the fixed size buffer.
* Allocate one that is large enough and use it instead.
*/
host_ifconf = malloc(outbufsz);
if (!host_ifconf) {
return -TARGET_ENOMEM;
}
memcpy(host_ifconf, buf_temp, sizeof(*host_ifconf));
free_buf = 1;
} }
memcpy(host_ifconf, buf_temp, sizeof(*host_ifconf)); host_ifc_buf = (char *)host_ifconf + sizeof(*host_ifconf);
free_buf = 1;
}
host_ifc_buf = (char*)host_ifconf + sizeof(*host_ifconf);
host_ifconf->ifc_len = host_ifc_len; host_ifconf->ifc_len = host_ifc_len;
} else {
host_ifc_buf = NULL;
}
host_ifconf->ifc_buf = host_ifc_buf; host_ifconf->ifc_buf = host_ifc_buf;
ret = get_errno(safe_ioctl(fd, ie->host_cmd, host_ifconf)); ret = get_errno(safe_ioctl(fd, ie->host_cmd, host_ifconf));
@ -4231,15 +4236,16 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp,
thunk_convert(argptr, host_ifconf, arg_type, THUNK_TARGET); thunk_convert(argptr, host_ifconf, arg_type, THUNK_TARGET);
unlock_user(argptr, arg, target_size); unlock_user(argptr, arg, target_size);
/* copy ifreq[] to target user */ if (target_ifc_buf != 0) {
/* copy ifreq[] to target user */
argptr = lock_user(VERIFY_WRITE, target_ifc_buf, target_ifc_len, 0); argptr = lock_user(VERIFY_WRITE, target_ifc_buf, target_ifc_len, 0);
for (i = 0; i < nb_ifreq ; i++) { for (i = 0; i < nb_ifreq ; i++) {
thunk_convert(argptr + i * target_ifreq_size, thunk_convert(argptr + i * target_ifreq_size,
host_ifc_buf + i * sizeof(struct ifreq), host_ifc_buf + i * sizeof(struct ifreq),
ifreq_arg_type, THUNK_TARGET); ifreq_arg_type, THUNK_TARGET);
}
unlock_user(argptr, target_ifc_buf, target_ifc_len);
} }
unlock_user(argptr, target_ifc_buf, target_ifc_len);
} }
if (free_buf) { if (free_buf) {