On 02/04/2013 02:07 PM, Peter Maydell wrote:
> On 4 February 2013 18:38, Eric Blake <ebl...@redhat.com> wrote:
>> On 02/02/2013 04:04 PM, dill...@dillona.com wrote:
>>> -
>>> - grouplist = alloca(gidsetsize * sizeof(gid_t));
>>> - target_grouplist = lock_user(VERIFY_READ, arg2, gidsetsize *
>>> 2, 1);
>>> - if (!target_grouplist) {
>>> - ret = -TARGET_EFAULT;
>>> - goto fail;
>>> + if (gidsetsize) {
>>> + grouplist = alloca(gidsetsize * sizeof(gid_t));
>>
>> Is this alloca() safe, or are you risking stack overflow if the user
>> passes an extremely large arg1?
>
> No, the linux-user has a number of long-standing not-terribly-safe
> alloca calls like this. If anybody wants to go through and fix them
> patches are welcome, but I don't think it's fair to require them
> to be fixed in order to get fairly simple patches like this in,
> where the patch is merely reindenting existing dubious code, not
> adding to the problem.Point taken - the abuse of alloca() is pre-existing, so it shouldn't block this particular patch. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
