[v1] linux-user: prevent NULL dereference in do_sendrecvmsg_locked()

[PATCH] linux-user: prevent NULL dereference in do_sendrecvmsg_locked()

gerben@altlinux.org posted 1 patch 3 months ago

Diff against v2
Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20250814105236.13344-1-gerben@altlinux.org

Maintainers: Laurent Vivier <laurent@vivier.eu>

There is a newer version of this series

linux-user/syscall.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Expand all Fold all

[PATCH] linux-user: prevent NULL dereference in do_sendrecvmsg_locked()

Posted by gerben@altlinux.org 3 months ago

From: Denis Rastyogin <gerben@altlinux.org>

fd_trans_target_to_host_data() in do_sendrecvmsg_locked() may be
called when msg.msg_iov is NULL, for example when sending with
MSG_MORE and no actual iovec data is present. Dereferencing
msg.msg_iov in this case would lead to a NULL pointer access.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Reported-by: Alexey Appolonov <alexey@altlinux.org>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 59b2080b98..c7e6c53f08 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3300,7 +3300,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
     msg.msg_iov = vec;
 
     if (send) {
-        if (fd_trans_target_to_host_data(fd)) {
+        if (fd_trans_target_to_host_data(fd) && msg.msg_iov->iov_len) {
             void *host_msg;
 
             host_msg = g_malloc(msg.msg_iov->iov_len);
-- 
2.42.2

Re: [PATCH] linux-user: prevent NULL dereference in do_sendrecvmsg_locked()

Posted by Manos Pitsidianakis 3 months ago

On Thu, 14 Aug 2025, 13:53 , <gerben@altlinux.org> wrote:

> From: Denis Rastyogin <gerben@altlinux.org>
>
> fd_trans_target_to_host_data() in do_sendrecvmsg_locked() may be
> called when msg.msg_iov is NULL, for example when sending with
> MSG_MORE and no actual iovec data is present. Dereferencing
> msg.msg_iov in this case would lead to a NULL pointer access.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Reported-by: Alexey Appolonov <alexey@altlinux.org>
> Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
> ---
>  linux-user/syscall.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 59b2080b98..c7e6c53f08 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -3300,7 +3300,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct
> target_msghdr *msgp,
>      msg.msg_iov = vec;
>
>      if (send) {
> -        if (fd_trans_target_to_host_data(fd)) {
> +        if (fd_trans_target_to_host_data(fd) && msg.msg_iov->iov_len) {
>

Surely you meant ` && msg.msg_iov` instead of dereferencing the iov_len
field? According to the commit message.

             void *host_msg;
>
>              host_msg = g_malloc(msg.msg_iov->iov_len);
> --
> 2.42.2
>
>
>