When we dynamically generate a name for a configuration in get-reg-list
we use strcat() to append to a buffer allocated using malloc() but we
never initialise that buffer. Since malloc() offers no guarantees
regarding the contents of the memory it returns this can lead to us
corrupting, and likely overflowing, the buffer:
vregs: PASS
vregs+pmu: PASS
sve: PASS
sve+pmu: PASS
vregs+pauth_address+pauth_generic: PASS
X�vr+gspauth_addre+spauth_generi+pmu: PASS
Initialise the buffer to an empty string to avoid this.
Fixes: 2f9ace5d4557 ("KVM: arm64: selftests: get-reg-list: Introduce vcpu configs")
Reviewed-by: Andrew Jones <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
---
Changes in v3:
- Rebase this bugfix onto v6.7-rc1
- Link to v2: https://lore.kernel.org/r/[email protected]
Changes in v2:
- Update Fixes: tag.
- Link to v1: https://lore.kernel.org/r/[email protected]
---
tools/testing/selftests/kvm/get-reg-list.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/kvm/get-reg-list.c b/tools/testing/selftests/kvm/get-reg-list.c
index be7bf5224434..dd62a6976c0d 100644
--- a/tools/testing/selftests/kvm/get-reg-list.c
+++ b/tools/testing/selftests/kvm/get-reg-list.c
@@ -67,6 +67,7 @@ static const char *config_name(struct vcpu_reg_list *c)
c->name = malloc(len);
+ c->name[0] = '\0';
len = 0;
for_each_sublist(c, s) {
if (!strcmp(s->name, "base"))
---
base-commit: b85ea95d086471afb4ad062012a4d73cd328fa86
change-id: 20231012-kvm-get-reg-list-str-init-76c8ed4e19d6
Best regards,
--
Mark Brown <[email protected]>
On 12/11/23 14:08, Mark Brown wrote:
> When we dynamically generate a name for a configuration in get-reg-list
> we use strcat() to append to a buffer allocated using malloc() but we
> never initialise that buffer. Since malloc() offers no guarantees
> regarding the contents of the memory it returns this can lead to us
> corrupting, and likely overflowing, the buffer:
>
> vregs: PASS
> vregs+pmu: PASS
> sve: PASS
> sve+pmu: PASS
> vregs+pauth_address+pauth_generic: PASS
> X�vr+gspauth_addre+spauth_generi+pmu: PASS
>
> Initialise the buffer to an empty string to avoid this.
> diff --git a/tools/testing/selftests/kvm/get-reg-list.c b/tools/testing/selftests/kvm/get-reg-list.c
> index be7bf5224434..dd62a6976c0d 100644
> --- a/tools/testing/selftests/kvm/get-reg-list.c
> +++ b/tools/testing/selftests/kvm/get-reg-list.c
> @@ -67,6 +67,7 @@ static const char *config_name(struct vcpu_reg_list *c)
>
> c->name = malloc(len);
>
> + c->name[0] = '\0';
> len = 0;
> for_each_sublist(c, s) {
> if (!strcmp(s->name, "base"))
> continue;
> strcat(c->name + len, s->name);
This can be fixed just by s/strcat/strcpy/, but there's also an ugly
hidden assumption that for_each_sublist runs at least one iteration of
the loop; otherwise, the loop ends with a c->name[-1] = '\0';
> len += strlen(s->name) + 1;
> c->name[len - 1] = '+';
> }
> c->name[len - 1] = '\0';
Now this *is* a bit academic, but it remains the fact that all the
invariants are screwed up and while we're fixing it we might at least
fix it well.
So let's make the invariant that c->name[0..len-1] is initialized. Then
every write is done with either strcpy of c->name[len++] = '...'.
> ---
> base-commit: b85ea95d086471afb4ad062012a4d73cd328fa86
> change-id: 20231012-kvm-get-reg-list-str-init-76c8ed4e19d6
>
> Best regards,