[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 02/15] qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_ev
From: |
Thomas Huth |
Subject: |
[PULL 02/15] qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine() |
Date: |
Mon, 11 Jan 2021 14:43:15 +0100 |
From: Gan Qixin <ganqixin@huawei.com>
When the length of mname is less than 5, memcpy("xenfv", mname, 5) will cause
heap buffer overflow. Therefore, use strncmp to avoid this problem.
The asan showed stack:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f2f4 at
pc 0x7f65d8cc2225 bp 0x7ffe93cc5a60 sp 0x7ffe93cc5208 READ of size 5 at
0x60200000f2f4 thread T0
#0 0x7f65d8cc2224 in memcmp (/lib64/libasan.so.5+0xdf224)
#1 0x5632c20be95b in qtest_cb_for_every_machine tests/qtest/libqtest.c:1282
#2 0x5632c20b7995 in main tests/qtest/test-hmp.c:160
#3 0x7f65d88fed42 in __libc_start_main (/lib64/libc.so.6+0x26d42)
#4 0x5632c20b72cd in _start (build/tests/qtest/test-hmp+0x542cd)
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Gan Qixin <ganqixin@huawei.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-Id: <20210106050625.518041-1-ganqixin@huawei.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
tests/qtest/libqtest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
index 8e93b0a707..5249a628cc 100644
--- a/tests/qtest/libqtest.c
+++ b/tests/qtest/libqtest.c
@@ -1279,7 +1279,7 @@ void qtest_cb_for_every_machine(void (*cb)(const char
*machine),
g_assert(qstr);
mname = qstring_get_str(qstr);
/* Ignore machines that cannot be used for qtests */
- if (!memcmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) {
+ if (!strncmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) {
continue;
}
if (!skip_old_versioned || !qtest_is_old_versioned_machine(mname)) {
--
2.27.0
- [PULL 00/15] Testing, CI and bsd-user patches, Thomas Huth, 2021/01/11
- [PULL 02/15] qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine(),
Thomas Huth <=
- [PULL 01/15] gitlab-ci.yml: Add openSUSE Leap 15.2 for gitlab CI/CD, Thomas Huth, 2021/01/11
- [PULL 03/15] util/oslib-win32: Fix _aligned_malloc() arguments order, Thomas Huth, 2021/01/11
- [PULL 05/15] fuzz: double the IOs to remove for every loop, Thomas Huth, 2021/01/11
- [PULL 04/15] fuzz: accelerate non-crash detection, Thomas Huth, 2021/01/11
- [PULL 09/15] fuzz: add minimization options, Thomas Huth, 2021/01/11
- [PULL 08/15] fuzz: set bits in operand of write/out to zero, Thomas Huth, 2021/01/11
- [PULL 10/15] fuzz: heuristic split write based on past IOs, Thomas Huth, 2021/01/11
- [PULL 07/15] fuzz: remove IO commands iteratively, Thomas Huth, 2021/01/11
- [PULL 06/15] fuzz: split write operand using binary approach, Thomas Huth, 2021/01/11
- [PULL 11/15] bsd-user: regenerate FreeBSD's system call numbers, Thomas Huth, 2021/01/11