Google Git
Sign in
qemu / qemu / 1645fb5a1e537f85eda744bfa6e9d3dda047ba28
commit1645fb5a1e537f85eda744bfa6e9d3dda047ba28[log] [tgz]
authorShu-Chun Weng <scw@google.com>Thu Oct 17 17:19:20 2019 -0700
committerLaurent Vivier <laurent@vivier.eu>Mon Oct 21 11:34:18 2019 +0200
tree688a4ab68f99f102371dac1a53df1ade304fa9da
parent53bdbfdf5326ad453b307c5b4bb9e71aeab29cf3 [diff]
Fix unsigned integer underflow in fd-trans.c

In any of these `*_for_each_*` functions, the last entry in the buffer (so the
"remaining length in the buffer" `len` is equal to the length of the
entry `nlmsg_len`/`nla_len`/etc) has size that is not a multiple of the
alignment, the aligned lengths `*_ALIGN(*_len)` will be greater than `len`.
Since `len` is unsigned (`size_t`), it underflows and the loop will read
pass the buffer.

This may manifest as random EINVAL or EOPNOTSUPP error on IO or network
system calls.

Signed-off-by: Shu-Chun Weng <scw@google.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20191018001920.178283-1-scw@google.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
1 file changed
tree: 688a4ab68f99f102371dac1a53df1ade304fa9da
  1. accel/
  2. audio/
  3. authz/
  4. backends/
  5. block/
  6. bsd-user/
  7. chardev/
  8. contrib/
  9. crypto/
  10. default-configs/
  11. disas/
  12. docs/
  13. dump/
  14. fpu/
  15. fsdev/
  16. gdb-xml/
  17. hw/
  18. include/
  19. io/
  20. libdecnumber/
  21. linux-headers/
  22. linux-user/
  23. migration/
  24. monitor/
  25. nbd/
  26. net/
  27. pc-bios/
  28. po/
  29. python/
  30. qapi/
  31. qga/
  32. qobject/
  33. qom/
  34. replay/
  35. roms/
  36. scripts/
  37. scsi/
  38. stubs/
  39. target/
  40. tcg/
  41. tests/
  42. trace/
  43. ui/
  44. util/
  45. capstone
  46. dtc
  47. slirp
  48. .cirrus.yml
  49. .dir-locals.el
  50. .editorconfig
  51. .exrc
  52. .gdbinit
  53. .gitignore
  54. .gitlab-ci.yml
  55. .gitmodules
  56. .gitpublish
  57. .mailmap
  58. .patchew.yml
  59. .shippable.yml
  60. .travis.yml
  61. arch_init.c
  62. balloon.c
  63. block.c
  64. blockdev-nbd.c
  65. blockdev.c
  66. blockjob.c
  67. bootdevice.c
  68. bt-host.c
  69. bt-vhci.c
  70. Changelog
  71. CODING_STYLE.rst
  72. configure
  73. COPYING
  74. COPYING.LIB
  75. cpus-common.c
  76. cpus.c
  77. device-hotplug.c
  78. device_tree.c
  79. disas.c
  80. dma-helpers.c
  81. exec.c
  82. gdbstub.c
  83. gitdm.config
  84. hmp-commands-info.hx
  85. hmp-commands.hx
  86. ioport.c
  87. iothread.c
  88. job-qmp.c
  89. job.c
  90. Kconfig.host
  91. LICENSE
  92. MAINTAINERS
  93. Makefile
  94. Makefile.objs
  95. Makefile.target
  96. memory.c
  97. memory_ldst.inc.c
  98. memory_mapping.c
  99. module-common.c
  100. os-posix.c
  101. os-win32.c
  102. qdev-monitor.c
  103. qemu-bridge-helper.c
  104. qemu-deprecated.texi
  105. qemu-doc.texi
  106. qemu-edid.c
  107. qemu-img-cmds.hx
  108. qemu-img.c
  109. qemu-img.texi
  110. qemu-io-cmds.c
  111. qemu-io.c
  112. qemu-keymap.c
  113. qemu-nbd.c
  114. qemu-nbd.texi
  115. qemu-option-trace.texi
  116. qemu-options-wrapper.h
  117. qemu-options.h
  118. qemu-options.hx
  119. qemu-seccomp.c
  120. qemu-tech.texi
  121. qemu.nsi
  122. qemu.sasl
  123. qtest.c
  124. README.rst
  125. replication.c
  126. replication.h
  127. rules.mak
  128. thunk.c
  129. tpm.c
  130. trace-events
  131. VERSION
  132. version.rc
  133. vl.c