From patchwork Thu Aug  4 14:15:02 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Riku Voipio <riku.voipio@linaro.org>
X-Patchwork-Id: 73280
Delivered-To: patch@linaro.org
Received: by 10.140.29.52 with SMTP id a49csp1422583qga;
 Thu, 4 Aug 2016 07:23:51 -0700 (PDT)
X-Received: by 10.200.35.44 with SMTP id a41mr6547506qta.25.1470320631480;
 Thu, 04 Aug 2016 07:23:51 -0700 (PDT)
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11])
 by mx.google.com with ESMTPS id
 38si8357611qtq.133.2016.08.04.07.23.51 for <patch@linaro.org>
 (version=TLS1 cipher=AES128-SHA bits=128/128);
 Thu, 04 Aug 2016 07:23:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 client-ip=2001:4830:134:3::11; 
Authentication-Results: mx.google.com; dkim=fail header.i=@linaro.org;
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org; 
 dmarc=fail (p=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([::1]:40175 helo=lists.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <qemu-devel-bounces+patch=linaro.org@nongnu.org>)
 id 1bVJYt-0001ni-3R
 for patch@linaro.org; Thu, 04 Aug 2016 10:23:51 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44994)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <riku.voipio@linaro.org>) id 1bVJQa-0003XY-Uj
 for qemu-devel@nongnu.org; Thu, 04 Aug 2016 10:15:17 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <riku.voipio@linaro.org>) id 1bVJQW-0000St-8x
 for qemu-devel@nongnu.org; Thu, 04 Aug 2016 10:15:15 -0400
Received: from mail-lf0-x232.google.com ([2a00:1450:4010:c07::232]:36462)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <riku.voipio@linaro.org>) id 1bVJQW-0000Sp-1H
 for qemu-devel@nongnu.org; Thu, 04 Aug 2016 10:15:12 -0400
Received: by mail-lf0-x232.google.com with SMTP id g62so183000700lfe.3
 for <qemu-devel@nongnu.org>; Thu, 04 Aug 2016 07:15:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=KuHvs4a3LZmBzKFdDLFf0n2WkwVDx/eIMBMaB4LgSBQ=;
 b=YvDYAn6bOwzqoZPsgXaPsyH3V/mTP/QG9qVmyQRr2pcVA7vFrwD98O/lLsADl2+F3a
 ZKOmjcKNs/VCUicWnJZzozSXopjurRwODFuSyOnsQzQq/0EnNa4ujDZmaoRDWz4DouZN
 tNhMYylCn+3YPZtsEvccuuwtZoK6/rMKz3AqA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=KuHvs4a3LZmBzKFdDLFf0n2WkwVDx/eIMBMaB4LgSBQ=;
 b=ElXObxASKCXt5pisRE5z08W9ZqjguGmj9lJwcpgFqqvmQJtQ8oV9RAQNpb2S4xEL3X
 iQK6aZ0CLPE/oOM6SZxdqbngQJmTTBG5fIqNuEB/BgCpn4PV3O6QY7TiX14X72Z5kfWM
 cXzXN20VBRCMipBCn1tZooIeU/bOqaoYA2AOa22d8lfxEPfalj4oaabxxXi5ezwL+Tb7
 yFjb1M5SFADrF8GzkDVdB1UqVYutdCY3RI8gwo+3k7nApwZvDap5F3Vt9+kMyb4i4XI6
 XByz6iTUTyaWFQyzBTZf2sKBuvisofwZtho6cUrFJggTVv42zmsZd+1XWKv8k7yP7tTx
 FlVA==
X-Gm-Message-State: AEkoousevhrUWSosI/8KkFlNA1VQt1WwdQ5sYM+90zraYlqYQwe59TsjgzWO8lcSCY4lV5AA
X-Received: by 10.46.33.8 with SMTP id h8mr21599846ljh.36.1470320110834;
 Thu, 04 Aug 2016 07:15:10 -0700 (PDT)
Received: from beaming.home (91-157-170-157.elisa-laajakaista.fi.
 [91.157.170.157]) by smtp.gmail.com with ESMTPSA id
 r76sm2407266lfi.35.2016.08.04.07.15.09
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Thu, 04 Aug 2016 07:15:09 -0700 (PDT)
From: riku.voipio@linaro.org
To: qemu-devel@nongnu.org
Date: Thu,  4 Aug 2016 17:15:02 +0300
Message-Id: <ba4b3f668abf1fcde204c8f3185ea6edeec6eaa3.1470319929.git.riku.voipio@linaro.org>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <cover.1470319929.git.riku.voipio@linaro.org>
References: <cover.1470319929.git.riku.voipio@linaro.org>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2a00:1450:4010:c07::232
Subject: [Qemu-devel] [PULL 2/5] linux-user: Fix memchr() argument in
 open_self_cmdline()
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: peter.maydell@linaro.org
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+patch=linaro.org@nongnu.org>

From: Peter Maydell <peter.maydell@linaro.org>

In open_self_cmdline() we look for a 0 in the buffer we read
from /prc/self/cmdline. We were incorrectly passing the length
of our buf[] array to memchr() as the length to search, rather
than the number of bytes we actually read into it, which could
be shorter. This was spotted by Coverity (because it could
result in our trying to pass a negative length argument to
write()).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.1.4

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index ca6a2b4..092ff4e 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -6856,7 +6856,7 @@ static int open_self_cmdline(void *cpu_env, int fd)
         if (!word_skipped) {
             /* Skip the first string, which is the path to qemu-*-static
                instead of the actual command. */
-            cp_buf = memchr(buf, 0, sizeof(buf));
+            cp_buf = memchr(buf, 0, nb_read);
             if (cp_buf) {
                 /* Null byte found, skip one string */
                 cp_buf++;