Passing a NULL "models" pointer along with a contradictory "nmodels >= 1" would cause a NULL-dereference. An alternative to the fix below would be simply to guard the NULL-derferencing strcmp with "if (models ...", but that wouldn't tell the caller that they're passing bogus arguments. >From f57bd1fbe7a41b1b9d8ba1be61790e95b5060ddc Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering(a)redhat.com&gt; Date: Tue, 26 Jan 2010 19:58:48 +0100 Subject: [PATCH] cpu_x86.c: avoid NULL-deref for invalid arguments * src/cpu/cpu_x86.c (x86Decode): Do not dereference NULL when "models" is NULL and nmodels is 1 or greater. --- src/cpu/cpu_x86.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c index dae7c90..47dc400 100644 --- a/src/cpu/cpu_x86.c +++ b/src/cpu/cpu_x86.c @@ -1,7 +1,7 @@ /* * cpu_x86.c: CPU driver for CPUs with x86 compatible CPUID instruction * - * Copyright (C) 2009 Red Hat, Inc. + * Copyright (C) 2009-2010 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -954,6 +954,9 @@ x86Decode(virCPUDefPtr cpu, if (data == NULL || (map = x86LoadMap()) == NULL) return -1; + if (models == NULL && nmodels != 0) + return -1; + candidate = map->models; while (candidate != NULL) { bool allowed = (models == NULL);

Passing a NULL "models" pointer along with a contradictory "nmodels >= 1" would cause a NULL-dereference. An alternative to the fix below would be simply to guard the NULL-derferencing strcmp with "if (models ...", but that wouldn't tell the caller that they're passing bogus arguments.

diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c index dae7c90..47dc400 100644 --- a/src/cpu/cpu_x86.c +++ b/src/cpu/cpu_x86.c @@ -1,7 +1,7 @@ /* * cpu_x86.c: CPU driver for CPUs with x86 compatible CPUID instruction * - * Copyright (C) 2009 Red Hat, Inc. + * Copyright (C) 2009-2010 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -954,6 +954,9 @@ x86Decode(virCPUDefPtr cpu, if (data == NULL || (map = x86LoadMap()) == NULL) return -1; + if (models == NULL && nmodels != 0) + return -1; +

> Passing a NULL "models" pointer along with a > contradictory "nmodels >= 1" would cause a NULL-dereference. > > An alternative to the fix below would be simply to guard > the NULL-derferencing strcmp with "if (models ...", > but that wouldn't tell the caller that they're passing > bogus arguments. ... > diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c > index dae7c90..47dc400 100644 > --- a/src/cpu/cpu_x86.c > +++ b/src/cpu/cpu_x86.c > @@ -1,7 +1,7 @@ > /* > * cpu_x86.c: CPU driver for CPUs with x86 compatible CPUID instruction > * > - * Copyright (C) 2009 Red Hat, Inc. > + * Copyright (C) 2009-2010 Red Hat, Inc. > * > * This library is free software; you can redistribute it and/or > * modify it under the terms of the GNU Lesser General Public > @@ -954,6 +954,9 @@ x86Decode(virCPUDefPtr cpu, > if (data == NULL || (map = x86LoadMap()) == NULL) > return -1; > > + if (models == NULL && nmodels != 0) > + return -1; > + Hmm, this check introduces a possible memory leak, as it exists the function without freeing map. We could just move the check at the beginning of the function but since this is a private architecture specific implementation for cpuDecode, I'd rather move the check one level up to the arch independent entry point. A patch for that is attached.