Commit 22e4a267 authored by Kan Li's avatar Kan Li Committed by Laurent Vivier
Browse files

Fix linux-user crashes in ioctl(SIOCGIFCONF) when ifc_buf is NULL. 

Summary:
This is to fix bug https://bugs.launchpad.net/qemu/+bug/1796754.
It is valid for ifc_buf to be NULL according to
http://man7.org/linux/man-pages/man7/netdevice.7.html

.

Signed-off-by: default avatarKan Li <likan_999.student@sina.com>
Reviewed-by: default avatarLaurent Vivier <lvivier@redhat.com>
Message-Id: <20181024201303.114-1-likan_999.student@sina.com>
[lv: fix errors reported by checkpatch.pl]
Signed-off-by: default avatarLaurent Vivier <laurent@vivier.eu>
parent 47994e16

linux-user/syscall.c

+31 −25
Original line number Diff line number Diff line
@@ -4187,16 +4187,18 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp, 
    unlock_user(argptr, arg, 0);



    host_ifconf = (struct ifconf *)(unsigned long)buf_temp;

    target_ifc_len = host_ifconf->ifc_len;

    target_ifc_buf = (abi_long)(unsigned long)host_ifconf->ifc_buf;



    target_ifreq_size = thunk_type_size(ifreq_arg_type, 0);



    if (target_ifc_buf != 0) {

        target_ifc_len = host_ifconf->ifc_len;

        nb_ifreq = target_ifc_len / target_ifreq_size;

        host_ifc_len = nb_ifreq * sizeof(struct ifreq);



        outbufsz = sizeof(*host_ifconf) + host_ifc_len;

        if (outbufsz > MAX_STRUCT_SIZE) {

        /* We can't fit all the extents into the fixed size buffer.

            /*

             * We can't fit all the extents into the fixed size buffer.

             * Allocate one that is large enough and use it instead.

             */

            host_ifconf = malloc(outbufsz);
@@ -4209,6 +4211,9 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp, 
        host_ifc_buf = (char *)host_ifconf + sizeof(*host_ifconf);



        host_ifconf->ifc_len = host_ifc_len;

    } else {

      host_ifc_buf = NULL;

    }

    host_ifconf->ifc_buf = host_ifc_buf;



    ret = get_errno(safe_ioctl(fd, ie->host_cmd, host_ifconf));
@@ -4231,8 +4236,8 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp, 
        thunk_convert(argptr, host_ifconf, arg_type, THUNK_TARGET);

        unlock_user(argptr, arg, target_size);



        if (target_ifc_buf != 0) {

            /* copy ifreq[] to target user */



            argptr = lock_user(VERIFY_WRITE, target_ifc_buf, target_ifc_len, 0);

            for (i = 0; i < nb_ifreq ; i++) {

                thunk_convert(argptr + i * target_ifreq_size,
@@ -4241,6 +4246,7 @@ static abi_long do_ioctl_ifconf(const IOCTLEntry *ie, uint8_t *buf_temp, 
            }

            unlock_user(argptr, target_ifc_buf, target_ifc_len);

        }

    }



    if (free_buf) {

        free(host_ifconf);