|
| From: | Eric Blake |
| Subject: | Re: [Qemu-devel] [PATCH 7/8] io: file descriptor not initialized in qio_channel_command_new_spawn() |
| Date: | Thu, 30 Aug 2018 11:18:10 -0500 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 |
On 08/30/2018 10:47 AM, Liam Merwick wrote:
Incorrect checking of flags could result in uninitialized file descriptor being used. Signed-off-by: Liam Merwick <address@hidden> Reviewed-by: Darren Kenny <address@hidden> Reviewed-by: Mark Kanda <address@hidden> --- io/channel-command.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/io/channel-command.c b/io/channel-command.c index 3e7eb17eff54..38deb687da21 100644 --- a/io/channel-command.c +++ b/io/channel-command.c @@ -59,10 +59,10 @@ qio_channel_command_new_spawn(const char *const argv[],flags = flags & O_ACCMODE; - if (flags == O_RDONLY) {+ if ((flags & O_RDONLY) == O_RDONLY) {
NACK. O_RDONLY and O_WRONLY are subsets of O_ACCMODE, which we already masked out above.
On some systems, we have: O_RDONLY == 0 O_WRONLY == 1 O_RDWR == 2 On other systems, we have: O_RDONLY == 1 O_WRONLY == 2 O_RDWR == 3Either way, if the user passed in O_RDWR, (flags & O_RDONLY) == O_RDONLY returns true, which is wrong.
O_ACCMODE was historically 0x3, although now that POSIX has O_EXEC and O_SEARCH (which can be the same bit pattern), some systems now make O_ACCMODE occupy 3 bits instead of 2.
-- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
| [Prev in Thread] | Current Thread | [Next in Thread] |