[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Out of bounds va_arg access in rpl_fcntl

From: Eric Blake
Subject: Re: Out of bounds va_arg access in rpl_fcntl
Date: Wed, 5 Sep 2018 08:16:02 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 09/05/2018 05:33 AM, Frank Busse wrote:

this was found by using KLEE [1] on Coreutils 8.30 (shred, stty, sync,
tail, and probably also in dd (untested)). These tools call

fcntl (fd, F_GETFL)

F_GETFL is not handled in fcntl.c:rpl_fcntl and the default case tries
to access a non-existing argument:

         void *p = va_arg (arg, void *); <---
         result = fcntl (fd, action, p);

While this indeed accesses a parameter not passed by the caller, it is a harmless access. It doesn't matter what garbage we pass on to the kernel in that parameter slot, because the kernel doesn't read that parameter for F_GETFL.

Is this merely something triggering a warning in the KLEE static checker tool, or is it something that is causing actual runtime failures? Is there a way to annotate things in such a way that KLEE can ignore the pattern as intentional and safe?

Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

reply via email to

[Prev in Thread] Current Thread [Next in Thread]