linux-user: Fix Coverity CID 1430271 / CID 1430272
In new functions print_ioctl() and print_syscall_ret_ioctl(), we don't
check if lock_user() returns NULL and this would cause a segfault in
thunk_print().
If lock_user() returns NULL don't call thunk_print() but prints only the
value of the (invalid) pointer.
Tested with:
# cat ioctl.c
#include <unistd.h>
#include <sys/ioctl.h>
int main(void)
{
int ret;
ret = ioctl(STDOUT_FILENO, TCGETS, 0xdeadbeef);
ret = ioctl(STDOUT_FILENO, TCSETSF, 0xdeadbeef);
return 0;
}
# QEMU_STRACE= ./ioctl
...
578 ioctl(1,TCGETS,0xdeadbeef) = -1 errno=2 (Bad address)
578 ioctl(1,TCSETSF,0xdeadbeef) = -1 errno=2 (Bad address)
...
# QEMU_STRACE= passwd
...
623 ioctl(0,TCGETS,0x3fffed04) = 0 ({})
623 ioctl(0,TCSETSF,{}) = 0
...
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: 79482e5987c8 ("linux-user: Add strace support for printing arguments of ioctl()")
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Laurent Vivier
parent
d8c08b1e6c
commit
4c1850c130
@ -889,8 +889,12 @@ print_syscall_ret_ioctl(const struct syscallname *name, abi_long ret,
|
||||
arg_type++;
|
||||
target_size = thunk_type_size(arg_type, 0);
|
||||
argptr = lock_user(VERIFY_READ, arg2, target_size, 1);
|
||||
if (argptr) {
|
||||
thunk_print(argptr, arg_type);
|
||||
unlock_user(argptr, arg2, target_size);
|
||||
} else {
|
||||
print_pointer(arg2, 1);
|
||||
}
|
||||
qemu_log(")");
|
||||
}
|
||||
}
|
||||
@ -3119,8 +3123,12 @@ print_ioctl(const struct syscallname *name,
|
||||
arg_type++;
|
||||
target_size = thunk_type_size(arg_type, 0);
|
||||
argptr = lock_user(VERIFY_READ, arg2, target_size, 1);
|
||||
if (argptr) {
|
||||
thunk_print(argptr, arg_type);
|
||||
unlock_user(argptr, arg2, target_size);
|
||||
} else {
|
||||
print_pointer(arg2, 1);
|
||||
}
|
||||
break;
|
||||
}
|
||||
break;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user