[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Out of bounds va_arg access in rpl_fcntl

From: Eric Blake
Subject: Re: Out of bounds va_arg access in rpl_fcntl
Date: Wed, 5 Sep 2018 12:28:40 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 09/05/2018 11:05 AM, Paul Eggert wrote:
Eric Blake wrote:

While this indeed accesses a parameter not passed by the caller, it is a harmless access.

+        /* Pass a pointer as a trailing argument.  Although this is
+           not strictly kosher in theory, in practice it's good enough.  */
          void *p = va_arg (arg, void *);
          result = fcntl (fd, action, p);

And for the record, our testsuite tests that this comment actually holds on all platforms that we care about (that is, a caller passing int, rpl_fcntl() parsing it as void* and passing it on as void*, then the kernel reusing it as int, does not suffer from data corruption, even on platforms where pointers are 64 bits and rpl_fcntl() therefore read/passed on 32 bits of garbage alongside the real int):


The test does not cover the case of rpl_fcntl() passing on garbage to a function that will not consume the argument, but we could add that if it is desired.

Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

reply via email to

[Prev in Thread] Current Thread [Next in Thread]