1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH] virDomainSendKey: validate codeset argument

Ilias Stamatis posted 1 patch 4 years, 10 months ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20190601124012.14369-1-stamatis.iliass@gmail.com
src/libvirt-domain.c | 7 +++++++
1 file changed, 7 insertions(+)
[libvirt] [PATCH] virDomainSendKey: validate codeset argument
Posted by Ilias Stamatis 4 years, 10 months ago 
This argument wasn't validated anywhere, neither in the generic
implementation nor in the individual drivers. As a result a call to this
function with a large enough codeset value prior to this change causes
libvirtd to crash.

This happens because all drivers call virKeycodeValueTranslate which
uses codeset as an index to the virKeymapValues array, causing an
out-of-bounds error.

Signed-off-by: Ilias Stamatis <stamatis.iliass@gmail.com>
---
 src/libvirt-domain.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index df7e405b3e..c09448927b 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -6837,6 +6837,13 @@ virDomainSendKey(virDomainPtr domain,
     virCheckNonNullArgGoto(keycodes, error);
     virCheckPositiveArgGoto(nkeycodes, error);
 
+    if (codeset >= VIR_KEYCODE_SET_LAST) {
+        virReportInvalidArg(codeset,
+                            _("codeset must be less than %d"),
+                            VIR_KEYCODE_SET_LAST);
+        goto error;
+    }
+
     if (nkeycodes > VIR_DOMAIN_SEND_KEY_MAX_KEYS) {
         virReportInvalidArg(nkeycodes,
                             _("nkeycodes must be <= %d"),
-- 
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] virDomainSendKey: validate codeset argument
Posted by Erik Skultety 4 years, 10 months ago 
On Sat, Jun 01, 2019 at 02:40:12PM +0200, Ilias Stamatis wrote:
> This argument wasn't validated anywhere, neither in the generic
> implementation nor in the individual drivers. As a result a call to this
> function with a large enough codeset value prior to this change causes
> libvirtd to crash.
>
> This happens because all drivers call virKeycodeValueTranslate which
> uses codeset as an index to the virKeymapValues array, causing an
> out-of-bounds error.
>
> Signed-off-by: Ilias Stamatis <stamatis.iliass@gmail.com>
> ---
>  src/libvirt-domain.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
> index df7e405b3e..c09448927b 100644
> --- a/src/libvirt-domain.c
> +++ b/src/libvirt-domain.c
> @@ -6837,6 +6837,13 @@ virDomainSendKey(virDomainPtr domain,
>      virCheckNonNullArgGoto(keycodes, error);
>      virCheckPositiveArgGoto(nkeycodes, error);
>
> +    if (codeset >= VIR_KEYCODE_SET_LAST) {
> +        virReportInvalidArg(codeset,
> +                            _("codeset must be less than %d"),

I think "Unsupported codeset '%d'" sounds a tiny bit better :).

Reviewed-by: Erik Skultety <eskultet@redhat.com>

> +                            VIR_KEYCODE_SET_LAST);
> +        goto error;
> +    }
> +
>      if (nkeycodes > VIR_DOMAIN_SEND_KEY_MAX_KEYS) {
>          virReportInvalidArg(nkeycodes,
>                              _("nkeycodes must be <= %d"),
> --
> 2.21.0
>
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.