On 12/11/23 14:08, Mark Brown wrote:
When we dynamically generate a name for a configuration in get-reg-list we use strcat() to append to a buffer allocated using malloc() but we never initialise that buffer. Since malloc() offers no guarantees regarding the contents of the memory it returns this can lead to us corrupting, and likely overflowing, the buffer:
vregs: PASS vregs+pmu: PASS sve: PASS sve+pmu: PASS vregs+pauth_address+pauth_generic: PASS X�vr+gspauth_addre+spauth_generi+pmu: PASS
Initialise the buffer to an empty string to avoid this.
diff --git a/tools/testing/selftests/kvm/get-reg-list.c b/tools/testing/selftests/kvm/get-reg-list.c index be7bf5224434..dd62a6976c0d 100644 --- a/tools/testing/selftests/kvm/get-reg-list.c +++ b/tools/testing/selftests/kvm/get-reg-list.c @@ -67,6 +67,7 @@ static const char *config_name(struct vcpu_reg_list *c) c->name = malloc(len);
- c->name[0] = '\0'; len = 0; for_each_sublist(c, s) { if (!strcmp(s->name, "base")) continue; strcat(c->name + len, s->name);
This can be fixed just by s/strcat/strcpy/, but there's also an ugly hidden assumption that for_each_sublist runs at least one iteration of the loop; otherwise, the loop ends with a c->name[-1] = '\0';
len += strlen(s->name) + 1; c->name[len - 1] = '+'; } c->name[len - 1] = '\0';
Now this *is* a bit academic, but it remains the fact that all the invariants are screwed up and while we're fixing it we might at least fix it well.
So let's make the invariant that c->name[0..len-1] is initialized. Then every write is done with either strcpy of c->name[len++] = '...'.
base-commit: b85ea95d086471afb4ad062012a4d73cd328fa86 change-id: 20231012-kvm-get-reg-list-str-init-76c8ed4e19d6
Best regards,