Le 09/08/2021 à 17:54, Peter Maydell a écrit : > In do_setsockopt(), the code path for the options which take a struct > ip_mreq_source (IP_BLOCK_SOURCE, IP_UNBLOCK_SOURCE, > IP_ADD_SOURCE_MEMBERSHIP and IP_DROP_SOURCE_MEMBERSHIP) fails to > check the return value from lock_user(). Handle this in the usual > way by returning -TARGET_EFAULT. > > (In practice this was probably harmless because we'd pass a NULL > pointer to setsockopt() and the kernel would then return EFAULT.) > > Fixes: Coverity CID 1459987 > Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> > --- > Compile-tested only; I don't have a test case to hand that > uses these socket options. > > linux-user/syscall.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/linux-user/syscall.c b/linux-user/syscall.c > index ccd3892b2df..d2b062ea5a9 100644 > --- a/linux-user/syscall.c > +++ b/linux-user/syscall.c > @@ -2121,6 +2121,9 @@ static abi_long do_setsockopt(int sockfd, int level, > int optname, > return -TARGET_EINVAL; > > ip_mreq_source = lock_user(VERIFY_READ, optval_addr, optlen, 1); > + if (!ip_mreq_source) { > + return -TARGET_EFAULT; > + } > ret = get_errno(setsockopt(sockfd, level, optname, > ip_mreq_source, optlen)); > unlock_user (ip_mreq_source, optval_addr, 0); > break; >
Applied to my linux-user-for-6.2 branch. Thanks, Laurent