hw/loongarch/boot.c: fix out-of-bound reading

[PATCH] hw/loongarch/boot.c: fix out-of-bound reading

Posted by Dmitry Frolov 6 months ago

memcpy() is trying to READ 512 bytes from memory,
pointed by info->kernel_cmdline,
which was (presumable) allocated by g_strdup("");
Found with ASAN, making check with enabled sanitizers.

Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
---
 hw/loongarch/boot.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/loongarch/boot.c b/hw/loongarch/boot.c
index b8e1aa18d5..cb668703bd 100644
--- a/hw/loongarch/boot.c
+++ b/hw/loongarch/boot.c
@@ -163,7 +163,7 @@ static void init_cmdline(struct loongarch_boot_info *info, void *p, void *start)
     info->a0 = 1;
     info->a1 = cmdline_addr;
 
-    memcpy(p, info->kernel_cmdline, COMMAND_LINE_SIZE);
+    g_strlcpy(p, info->kernel_cmdline, COMMAND_LINE_SIZE);
 }
 
 static uint64_t cpu_loongarch_virt_to_phys(void *opaque, uint64_t addr)
-- 
2.43.0

Re: [PATCH] hw/loongarch/boot.c: fix out-of-bound reading

Posted by gaosong 5 months, 3 weeks ago

在 2024/6/28 下午8:39, Dmitry Frolov 写道:
> memcpy() is trying to READ 512 bytes from memory,
> pointed by info->kernel_cmdline,
> which was (presumable) allocated by g_strdup("");
> Found with ASAN, making check with enabled sanitizers.
>
> Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
> ---
>   hw/loongarch/boot.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/loongarch/boot.c b/hw/loongarch/boot.c
> index b8e1aa18d5..cb668703bd 100644
> --- a/hw/loongarch/boot.c
> +++ b/hw/loongarch/boot.c
> @@ -163,7 +163,7 @@ static void init_cmdline(struct loongarch_boot_info *info, void *p, void *start)
>       info->a0 = 1;
>       info->a1 = cmdline_addr;
>   
> -    memcpy(p, info->kernel_cmdline, COMMAND_LINE_SIZE);
> +    g_strlcpy(p, info->kernel_cmdline, COMMAND_LINE_SIZE);
>   }
>   
>   static uint64_t cpu_loongarch_virt_to_phys(void *opaque, uint64_t addr)
Reviewed-by: Song Gao <gaosong@loongson.cn>

Thanks.
Song Gao