linux-user: Fix Coverity CID 1430271 / CID 1430272

In new functions print_ioctl() and print_syscall_ret_ioctl(), we don't check if lock_user() returns NULL and this would cause a segfault in thunk_print(). If lock_user() returns NULL don't call thunk_print() but prints only the value of the (invalid) pointer. Tested with: # cat ioctl.c #include <unistd.h> #include <sys/ioctl.h> int main(void) { int ret; ret = ioctl(STDOUT_FILENO, TCGETS, 0xdeadbeef); ret = ioctl(STDOUT_FILENO, TCSETSF, 0xdeadbeef); return 0; } # QEMU_STRACE= ./ioctl ... 578 ioctl(1,TCGETS,0xdeadbeef) = -1 errno=2 (Bad address) 578 ioctl(1,TCSETSF,0xdeadbeef) = -1 errno=2 (Bad address) ... # QEMU_STRACE= passwd ... 623 ioctl(0,TCGETS,0x3fffed04) = 0 ({}) 623 ioctl(0,TCSETSF,{}) = 0 ... Reported-by: Peter Maydell <peter.maydell@linaro.org> Fixes: 79482e5987c8 ("linux-user: Add strace support for printing arguments of ioctl()") Signed-off-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
author: Laurent Vivier <laurent@vivier.eu> 2020-07-09 21:22:17 +0200
committer: Laurent Vivier <laurent@vivier.eu> 2020-07-13 21:22:08 +0200
commit: 4c1850c130a31e6f3cc896a5ba5fb7a602540bc9 (patch)
tree: fa01a74ef0e3107e4ba378757689baff3bddc969 /linux-user
parent: d8c08b1e6c7b1a5be1ec70e339437823a41b1946 (diff)
download: qemu-4c1850c130a31e6f3cc896a5ba5fb7a602540bc9.zip
1 files changed, 12 insertions, 4 deletions
diff --git a/linux-user/strace.c b/linux-user/strace.c
index 5235b2260c..39554d9039 100644
--- a/linux-user/strace.c
+++ b/linux-user/strace.c
@@ -889,8 +889,12 @@ print_syscall_ret_ioctl(const struct syscallname *name, abi_long ret,
             arg_type++;
             target_size = thunk_type_size(arg_type, 0);
             argptr = lock_user(VERIFY_READ, arg2, target_size, 1);
-            thunk_print(argptr, arg_type);
-            unlock_user(argptr, arg2, target_size);
+            if (argptr) {
+                thunk_print(argptr, arg_type);
+                unlock_user(argptr, arg2, target_size);
+            } else {
+                print_pointer(arg2, 1);
+            }
             qemu_log(")");
         }
     }
@@ -3119,8 +3123,12 @@ print_ioctl(const struct syscallname *name,
                     arg_type++;
                     target_size = thunk_type_size(arg_type, 0);
                     argptr = lock_user(VERIFY_READ, arg2, target_size, 1);
-                    thunk_print(argptr, arg_type);
-                    unlock_user(argptr, arg2, target_size);
+                    if (argptr) {
+                        thunk_print(argptr, arg_type);
+                        unlock_user(argptr, arg2, target_size);
+                    } else {
+                        print_pointer(arg2, 1);
+                    }
                     break;
                 }
                 break;
author	Laurent Vivier <laurent@vivier.eu>	2020-07-09 21:22:17 +0200
committer	Laurent Vivier <laurent@vivier.eu>	2020-07-13 21:22:08 +0200
commit	4c1850c130a31e6f3cc896a5ba5fb7a602540bc9 (patch)
tree	fa01a74ef0e3107e4ba378757689baff3bddc969 /linux-user
parent	d8c08b1e6c7b1a5be1ec70e339437823a41b1946 (diff)
download	qemu-4c1850c130a31e6f3cc896a5ba5fb7a602540bc9.zip