On 09/05/2018 05:33 AM, Frank Busse wrote:
Hi,
this was found by using KLEE [1] on Coreutils 8.30 (shred, stty, sync,
tail, and probably also in dd (untested)). These tools call
fcntl (fd, F_GETFL)
F_GETFL is not handled in fcntl.c:rpl_fcntl and the default case tries
to access a non-existing argument:
--
default:
{
#if HAVE_FCNTL
void *p = va_arg (arg, void *); <---
result = fcntl (fd, action, p);
While this indeed accesses a parameter not passed by the caller, it is a
harmless access. It doesn't matter what garbage we pass on to the kernel
in that parameter slot, because the kernel doesn't read that parameter
for F_GETFL.
Is this merely something triggering a warning in the KLEE static checker
tool, or is it something that is causing actual runtime failures? Is
there a way to annotate things in such a way that KLEE can ignore the
pattern as intentional and safe?
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org