|
| From: | Eric Blake |
| Subject: | Re: Out of bounds va_arg access in rpl_fcntl |
| Date: | Wed, 5 Sep 2018 12:28:40 -0500 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 |
On 09/05/2018 11:05 AM, Paul Eggert wrote:
Eric Blake wrote:While this indeed accesses a parameter not passed by the caller, it is a harmless access.
#if HAVE_FCNTL
+ /* Pass a pointer as a trailing argument. Although this is
+ not strictly kosher in theory, in practice it's good enough. */
void *p = va_arg (arg, void *);
result = fcntl (fd, action, p);
And for the record, our testsuite tests that this comment actually holds on all platforms that we care about (that is, a caller passing int, rpl_fcntl() parsing it as void* and passing it on as void*, then the kernel reusing it as int, does not suffer from data corruption, even on platforms where pointers are 64 bits and rpl_fcntl() therefore read/passed on 32 bits of garbage alongside the real int):
https://git.savannah.gnu.org/cgit/gnulib.git/tree/tests/test-fcntl.c#n102The test does not cover the case of rpl_fcntl() passing on garbage to a function that will not consume the argument, but we could add that if it is desired.
-- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
| [Prev in Thread] | Current Thread | [Next in Thread] |