On 12/11/23 14:08, Mark Brown wrote:
When we dynamically generate a name for a configuration in get-reg-list
we use strcat() to append to a buffer allocated using malloc() but we
never initialise that buffer. Since malloc() offers no guarantees
regarding the contents of the memory it returns this can lead to us
corrupting, and likely overflowing, the buffer:
vregs: PASS
vregs+pmu: PASS
sve: PASS
sve+pmu: PASS
vregs+pauth_address+pauth_generic: PASS
X�vr+gspauth_addre+spauth_generi+pmu: PASS
Initialise the buffer to an empty string to avoid this.
diff --git a/tools/testing/selftests/kvm/get-reg-list.c b/tools/testing/selftests/kvm/get-reg-list.c
index be7bf5224434..dd62a6976c0d 100644
--- a/tools/testing/selftests/kvm/get-reg-list.c
+++ b/tools/testing/selftests/kvm/get-reg-list.c
@@ -67,6 +67,7 @@ static const char *config_name(struct vcpu_reg_list *c)
c->name = malloc(len);
+ c->name[0] = '\0';
len = 0;
for_each_sublist(c, s) {
if (!strcmp(s->name, "base"))
continue;
strcat(c->name + len, s->name);
This can be fixed just by s/strcat/strcpy/, but there's also an ugly
hidden assumption that for_each_sublist runs at least one iteration of
the loop; otherwise, the loop ends with a c->name[-1] = '\0';
len += strlen(s->name) + 1;
c->name[len - 1] = '+';
}
c->name[len - 1] = '\0';
Now this *is* a bit academic, but it remains the fact that all the
invariants are screwed up and while we're fixing it we might at least
fix it well.
So let's make the invariant that c->name[0..len-1] is initialized. Then
every write is done with either strcpy of c->name[len++] = '...'.
---
base-commit: b85ea95d086471afb4ad062012a4d73cd328fa86
change-id: 20231012-kvm-get-reg-list-str-init-76c8ed4e19d6
Best regards,
