[libvirt] [PATCH] libvirt.c: don't let a NULL "cpumaps" argument provoke a NULL-deref
From 94923b161a9d066146271bb533b78ab7877e4501 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering@redhat.com> Date: Mon, 14 Dec 2009 17:17:53 +0100 Subject: [PATCH] libvirt.c: don't let a NULL "cpumaps" argument provoke a NULL-deref
* src/libvirt.c (virDomainGetVcpus): Update spec to say that maplen is ignored when "cpumaps" is NULL. Set maplen to 0 in that case. --- src/libvirt.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/src/libvirt.c b/src/libvirt.c index 008e322..4325aa4 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -4753,6 +4753,7 @@ error: * virDomainPinVcpu() API. * @maplen: number of bytes in one cpumap, from 1 up to size of CPU map in * underlying virtualization system (Xen...). + * Ignored when cpumaps is NULL. * * Extract information about virtual CPUs of domain, store it in info array * and also in cpumaps if this pointer isn't NULL. @@ -4776,6 +4777,12 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo, virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; } + + /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not + try to memcpy anything into a NULL pointer. */ + if (cpumaps == NULL) + maplen = 0; + if (cpumaps != NULL && maplen < 1) { virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; -- 1.6.6.rc2.275.g51e2d
On Mon, Dec 14, 2009 at 05:18:54PM +0100, Jim Meyering wrote:
From 94923b161a9d066146271bb533b78ab7877e4501 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering@redhat.com> Date: Mon, 14 Dec 2009 17:17:53 +0100 Subject: [PATCH] libvirt.c: don't let a NULL "cpumaps" argument provoke a NULL-deref
* src/libvirt.c (virDomainGetVcpus): Update spec to say that maplen is ignored when "cpumaps" is NULL. Set maplen to 0 in that case. --- src/libvirt.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/src/libvirt.c b/src/libvirt.c index 008e322..4325aa4 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -4753,6 +4753,7 @@ error: * virDomainPinVcpu() API. * @maplen: number of bytes in one cpumap, from 1 up to size of CPU map in * underlying virtualization system (Xen...). + * Ignored when cpumaps is NULL. * * Extract information about virtual CPUs of domain, store it in info array * and also in cpumaps if this pointer isn't NULL. @@ -4776,6 +4777,12 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo, virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; } + + /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not + try to memcpy anything into a NULL pointer. */ + if (cpumaps == NULL) + maplen = 0; + if (cpumaps != NULL && maplen < 1) { virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; --
I wonder if it might be better to return an error in that case. Passing a NULL cpumaps, and non-zero maplen seems like a real application bug we should complain about if (cpumaps == NULL && maplen != 0) ....error... Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
Daniel P. Berrange wrote:
On Mon, Dec 14, 2009 at 05:18:54PM +0100, Jim Meyering wrote:
From 94923b161a9d066146271bb533b78ab7877e4501 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering@redhat.com> Date: Mon, 14 Dec 2009 17:17:53 +0100 Subject: [PATCH] libvirt.c: don't let a NULL "cpumaps" argument provoke a NULL-deref
* src/libvirt.c (virDomainGetVcpus): Update spec to say that maplen is ignored when "cpumaps" is NULL. Set maplen to 0 in that case. --- src/libvirt.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/src/libvirt.c b/src/libvirt.c index 008e322..4325aa4 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -4753,6 +4753,7 @@ error: * virDomainPinVcpu() API. * @maplen: number of bytes in one cpumap, from 1 up to size of CPU map in * underlying virtualization system (Xen...). + * Ignored when cpumaps is NULL. * * Extract information about virtual CPUs of domain, store it in info array * and also in cpumaps if this pointer isn't NULL. @@ -4776,6 +4777,12 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo, virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; } + + /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not + try to memcpy anything into a NULL pointer. */ + if (cpumaps == NULL) + maplen = 0; + if (cpumaps != NULL && maplen < 1) { virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; --
I wonder if it might be better to return an error in that case. Passing a NULL cpumaps, and non-zero maplen seems like a real application bug we should complain about
if (cpumaps == NULL && maplen != 0) ....error...
Either way is fine with me. I was trying to preserve what looked like existing intent. Let me know.
Daniel P. Berrange wrote: ...
+ /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not + try to memcpy anything into a NULL pointer. */ + if (cpumaps == NULL) + maplen = 0; + if (cpumaps != NULL && maplen < 1) { virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; --
I wonder if it might be better to return an error in that case. Passing a NULL cpumaps, and non-zero maplen seems like a real application bug we should complain about
if (cpumaps == NULL && maplen != 0) ....error...
Ok. Here's a revised patch.
From d37bca86d0224052cb22d318fb7a4388909fc5e0 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering@redhat.com> Date: Mon, 14 Dec 2009 17:17:53 +0100 Subject: [PATCH] libvirt.c: don't let a NULL "cpumaps" argument provoke a NULL-deref
* src/libvirt.c (virDomainGetVcpus): Describe new, stronger requirement on "maplen"s relationship to "cpumaps". --- src/libvirt.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/src/libvirt.c b/src/libvirt.c index 008e322..103b331 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -4753,6 +4753,7 @@ error: * virDomainPinVcpu() API. * @maplen: number of bytes in one cpumap, from 1 up to size of CPU map in * underlying virtualization system (Xen...). + * Must be zero when cpumaps is NULL and positive when it is non-NULL. * * Extract information about virtual CPUs of domain, store it in info array * and also in cpumaps if this pointer isn't NULL. @@ -4776,7 +4777,11 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo, virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; } - if (cpumaps != NULL && maplen < 1) { + + /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not + try to memcpy anything into a NULL pointer. */ + if ((cpumaps == NULL && maplen != 0) + || (cpumaps && maplen <= 0)) { virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; } -- 1.6.6.rc2.275.g51e2d
On Mon, Dec 14, 2009 at 05:18:54PM +0100, Jim Meyering wrote:
From 94923b161a9d066146271bb533b78ab7877e4501 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering@redhat.com> Date: Mon, 14 Dec 2009 17:17:53 +0100 Subject: [PATCH] libvirt.c: don't let a NULL "cpumaps" argument provoke a NULL-deref
* src/libvirt.c (virDomainGetVcpus): Update spec to say that maplen is ignored when "cpumaps" is NULL.
s/spec/doc/ to avoid confusion with spec file :-)
Set maplen to 0 in that case. --- src/libvirt.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/src/libvirt.c b/src/libvirt.c index 008e322..4325aa4 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -4753,6 +4753,7 @@ error: * virDomainPinVcpu() API. * @maplen: number of bytes in one cpumap, from 1 up to size of CPU map in * underlying virtualization system (Xen...). + * Ignored when cpumaps is NULL. * * Extract information about virtual CPUs of domain, store it in info array * and also in cpumaps if this pointer isn't NULL. @@ -4776,6 +4777,12 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo, virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; } + + /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not + try to memcpy anything into a NULL pointer. */ + if (cpumaps == NULL) + maplen = 0; + if (cpumaps != NULL && maplen < 1) { virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error;
Okay, that's one simple way to raise the error, ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
participants (3)
-
Daniel P. Berrange -
Daniel Veillard -
Jim Meyering