[v2] linux-user: prevent NULL dereference in do_sendrecvmsg_locked()

[PATCH v2] linux-user: prevent NULL dereference in do_sendrecvmsg_locked()

gerben@altlinux.org posted 1 patch 3 months ago

Diff against v1
Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20250814105649.13521-1-gerben@altlinux.org

Maintainers: Laurent Vivier <laurent@vivier.eu>

linux-user/syscall.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Expand all Fold all

[PATCH v2] linux-user: prevent NULL dereference in do_sendrecvmsg_locked()

Posted by gerben@altlinux.org 3 months ago

From: Denis Rastyogin <gerben@altlinux.org>

fd_trans_target_to_host_data() in do_sendrecvmsg_locked() may be
called when msg.msg_iov is NULL, for example when sending with
MSG_MORE and no actual iovec data is present. Dereferencing
msg.msg_iov in this case would lead to a NULL pointer access.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Reported-by: Alexey Appolonov <alexey@altlinux.org>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 59b2080b98..c7e6c53f08 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3300,7 +3300,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
     msg.msg_iov = vec;
 
     if (send) {
-        if (fd_trans_target_to_host_data(fd)) {
+        if (fd_trans_target_to_host_data(fd) && msg.msg_iov) {
             void *host_msg;
 
             host_msg = g_malloc(msg.msg_iov->iov_len);
-- 
2.42.2