[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] tools/xl: Fix segfaults from `xl psr-cat-cbm-set` command line handling

To: Xen-devel <xen-devel@xxxxxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Thu, 16 Jul 2015 20:32:45 +0100
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Chao Peng <chao.p.peng@xxxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>
Delivery-date: Thu, 16 Jul 2015 19:33:11 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

The socket option takes a mandatory argument.  Mark it as such, so
optarg isn't NULL when passed to trim(), which unconditionally
dereference it.

Range check optind against argc before blindly assuming that
argv[optind] and argv[optind+1] exist.

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CC: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
CC: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CC: Wei Liu <wei.liu2@xxxxxxxxxx>
CC: Chao Peng <chao.p.peng@xxxxxxxxxxxxxxx>

---

I started doing an audit of xl's command line handling, but got to the
very first command (memmax) and found another segfault because of
blindly assuming that argv[optind + 1] was available.

I fixed this example as I happened to use the command, but I currently
lack the time to do a complete audit.  IMO, a full audit should be a
blocker for 4.6, especially given the nature of XSA-137
---
 tools/libxl/xl_cmdimpl.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c
index 37d4af6..f778cbe 100644
--- a/tools/libxl/xl_cmdimpl.c
+++ b/tools/libxl/xl_cmdimpl.c
@@ -8395,7 +8395,7 @@ int main_psr_cat_cbm_set(int argc, char **argv)
     int i, j, len;
 
     static struct option opts[] = {
-        {"socket", 0, 0, 's'},
+        {"socket", required_argument, 0, 's'},
         COMMON_LONG_OPTS,
         {0, 0, 0, 0}
     };
@@ -8403,7 +8403,7 @@ int main_psr_cat_cbm_set(int argc, char **argv)
     libxl_socket_bitmap_alloc(ctx, &target_map, 0);
     libxl_bitmap_set_none(&target_map);
 
-    SWITCH_FOREACH_OPT(opt, "s", opts, "psr-cat-cbm-set", 1) {
+    SWITCH_FOREACH_OPT(opt, "s:", opts, "psr-cat-cbm-set", 1) {
     case 's':
         trim(isspace, optarg, &value);
         split_string_into_string_list(value, ",", &socket_list);
@@ -8422,6 +8422,11 @@ int main_psr_cat_cbm_set(int argc, char **argv)
     if (libxl_bitmap_is_empty(&target_map))
         libxl_bitmap_set_any(&target_map);
 
+    if (argc != optind + 2) {
+        help("psr-cat-cbm-set");
+        return 2;
+    }
+
     domid = find_domain(argv[optind]);
     cbm = strtoll(argv[optind + 1], NULL , 0);
 
-- 
1.7.10.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] tools/xl: Fix segfaults from `xl psr-cat-cbm-set` command line handling
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH] tools/xl: Fix segfaults from `xl psr-cat-cbm-set` command line handling
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH] tools/xl: Fix segfaults from `xl psr-cat-cbm-set` command line handling
  - From: Wei Liu

Prev by Date: [Xen-devel] [PATCH] tools/xl: Fix trim() following c/s e316316 "xl: Rewrite trim()"
Next by Date: [Xen-devel] [PATCH] xen: fix non-ANSI function declaration of function xen_has_pv_devices
Previous by thread: [Xen-devel] [PATCH] tools/xl: Fix trim() following c/s e316316 "xl: Rewrite trim()"
Next by thread: Re: [Xen-devel] [PATCH] tools/xl: Fix segfaults from `xl psr-cat-cbm-set` command line handling
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.