[libvirt] [PATCH] virDomainSendKey: validate codeset argument

Ilias Stamatis posted 1 patch 3 weeks ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20190601124012.14369-1-stamatis.iliass@gmail.com
src/libvirt-domain.c | 7 +++++++
1 file changed, 7 insertions(+)

[libvirt] [PATCH] virDomainSendKey: validate codeset argument

Posted by Ilias Stamatis 3 weeks ago
This argument wasn't validated anywhere, neither in the generic
implementation nor in the individual drivers. As a result a call to this
function with a large enough codeset value prior to this change causes
libvirtd to crash.

This happens because all drivers call virKeycodeValueTranslate which
uses codeset as an index to the virKeymapValues array, causing an
out-of-bounds error.

Signed-off-by: Ilias Stamatis <stamatis.iliass@gmail.com>
---
 src/libvirt-domain.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index df7e405b3e..c09448927b 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -6837,6 +6837,13 @@ virDomainSendKey(virDomainPtr domain,
     virCheckNonNullArgGoto(keycodes, error);
     virCheckPositiveArgGoto(nkeycodes, error);
 
+    if (codeset >= VIR_KEYCODE_SET_LAST) {
+        virReportInvalidArg(codeset,
+                            _("codeset must be less than %d"),
+                            VIR_KEYCODE_SET_LAST);
+        goto error;
+    }
+
     if (nkeycodes > VIR_DOMAIN_SEND_KEY_MAX_KEYS) {
         virReportInvalidArg(nkeycodes,
                             _("nkeycodes must be <= %d"),
-- 
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] virDomainSendKey: validate codeset argument

Posted by Erik Skultety 3 weeks ago
On Sat, Jun 01, 2019 at 02:40:12PM +0200, Ilias Stamatis wrote:
> This argument wasn't validated anywhere, neither in the generic
> implementation nor in the individual drivers. As a result a call to this
> function with a large enough codeset value prior to this change causes
> libvirtd to crash.
>
> This happens because all drivers call virKeycodeValueTranslate which
> uses codeset as an index to the virKeymapValues array, causing an
> out-of-bounds error.
>
> Signed-off-by: Ilias Stamatis <stamatis.iliass@gmail.com>
> ---
>  src/libvirt-domain.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
> index df7e405b3e..c09448927b 100644
> --- a/src/libvirt-domain.c
> +++ b/src/libvirt-domain.c
> @@ -6837,6 +6837,13 @@ virDomainSendKey(virDomainPtr domain,
>      virCheckNonNullArgGoto(keycodes, error);
>      virCheckPositiveArgGoto(nkeycodes, error);
>
> +    if (codeset >= VIR_KEYCODE_SET_LAST) {
> +        virReportInvalidArg(codeset,
> +                            _("codeset must be less than %d"),

I think "Unsupported codeset '%d'" sounds a tiny bit better :).

Reviewed-by: Erik Skultety <eskultet@redhat.com>

> +                            VIR_KEYCODE_SET_LAST);
> +        goto error;
> +    }
> +
>      if (nkeycodes > VIR_DOMAIN_SEND_KEY_MAX_KEYS) {
>          virReportInvalidArg(nkeycodes,
>                              _("nkeycodes must be <= %d"),
> --
> 2.21.0
>
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list