linux-user: fix off-by-one in host_to_target_for_each_rtattr()

[PATCH] linux-user: fix off-by-one in host_to_target_for_each_rtattr()

Yixin Wei posted 1 patch 1 day, 22 hours ago

Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260409164938.6735-1-yixinwei@meta.com

Maintainers: Laurent Vivier <laurent@vivier.eu>, Pierrick Bouvier <pierrick.bouvier@linaro.org>

linux-user/fd-trans.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Expand all Fold all

[PATCH] linux-user: fix off-by-one in host_to_target_for_each_rtattr()

Posted by Yixin Wei 1 day, 22 hours ago

host_to_target_for_each_rtattr() uses "len > sizeof(struct rtattr)"
as its loop condition. When the last rtattr in a netlink message has
exactly sizeof(struct rtattr) (4) bytes remaining, the loop exits
without byte-swapping its rta_len and rta_type. A big-endian guest
then reads rta_len in the wrong byte order and fails validation.

The companion function target_to_host_for_each_rtattr() correctly
uses ">=" (added in commit fa2229dbf8). The kernel's RTA_OK macro
also uses ">=". Fix the host_to_target direction to match.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2485
Signed-off-by: Yixin Wei <yixinwei@meta.com>
---
 linux-user/fd-trans.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/fd-trans.c b/linux-user/fd-trans.c
index 64dd0745d2..7f55a0690b 100644
--- a/linux-user/fd-trans.c
+++ b/linux-user/fd-trans.c
@@ -480,7 +480,7 @@ static abi_long host_to_target_for_each_rtattr(struct rtattr *rtattr,
     unsigned short aligned_rta_len;
     abi_long ret;
 
-    while (len > sizeof(struct rtattr)) {
+    while (len >= sizeof(struct rtattr)) {
         rta_len = rtattr->rta_len;
         if (rta_len < sizeof(struct rtattr) ||
             rta_len > len) {
-- 
2.52.0

Re: [PATCH] linux-user: fix off-by-one in host_to_target_for_each_rtattr()

Posted by Philippe Mathieu-Daudé 1 day, 18 hours ago

On 9/4/26 18:49, Yixin Wei wrote:
> host_to_target_for_each_rtattr() uses "len > sizeof(struct rtattr)"
> as its loop condition. When the last rtattr in a netlink message has
> exactly sizeof(struct rtattr) (4) bytes remaining, the loop exits
> without byte-swapping its rta_len and rta_type. A big-endian guest
> then reads rta_len in the wrong byte order and fails validation.
> 
> The companion function target_to_host_for_each_rtattr() correctly
> uses ">=" (added in commit fa2229dbf8). The kernel's RTA_OK macro
> also uses ">=". Fix the host_to_target direction to match.
> 

10 years old bug, nice!

Fixes: 6c5b5645ae0 ("linux-user: add rtnetlink(7) support")
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2485
> Signed-off-by: Yixin Wei <yixinwei@meta.com>
> ---
>   linux-user/fd-trans.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)