From: Sean Christopherson <seanjc@google.com>
To: Mirsad Todorovac <mtodorovac69@gmail.com>
Cc: kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
linux-kernel@vger.kernel.org,
David Edmondson <david.edmondson@oracle.com>
Subject: Re: [BUG] arch/x86/kvm/x86.c: In function ‘prepare_emulation_failure_exit’: error: use of NULL ‘data’ where non-null expected
Date: Fri, 19 Jul 2024 12:01:27 -0700 [thread overview]
Message-ID: <Zpq4B2I1xcMLmuox@google.com> (raw)
In-Reply-To: <1eb96f85-edee-45fc-930f-a192cecbf54c@gmail.com>
On Fri, Jul 19, 2024, Mirsad Todorovac wrote:
> Hi, all!
>
> On linux-stable 6.10 vanilla tree, another NULL pointer is passed, which was detected
> by the fortify-string.h mechanism.
>
> arch/x86/kvm/x86.c
> ==================
>
> 13667 kvm_prepare_emulation_failure_exit(vcpu);
>
> calls
>
> 8796 __kvm_prepare_emulation_failure_exit(vcpu, NULL, 0);
>
> which calls
>
> 8790 prepare_emulation_failure_exit(vcpu, data, ndata, NULL, 0);
>
> Note here that data == NULL and ndata = 0.
>
> again data == NULL and ndata == 0, which passes unchanged all until
>
> 8773 memcpy(&run->internal.data[info_start + ARRAY_SIZE(info)], data, ndata * sizeof(data[0]));
My reading of the C99 is that KVM's behavior is fine.
Where an argument declared as size_t n specifies the length of the array for a
function, n can have the value zero on a call to that function. Unless explicitly stated
otherwise in the description of a particular function in this subclause, pointer arguments
on such a call shall still have valid values, as described in 7.1.4. On such a call, a
function that locates a character finds no occurrence, a function that compares two
character sequences returns zero, and a function that copies characters copies zero
characters.
If the function copies zero characters, then there can't be a store to the NULL
pointer, and if there's no store, there's no NULL pointer explosion.
I suppose arguably one could argue the builtin memcpy() could deliberately fail
on an invalid pointer, but that'd be rather ridiculous.
next prev parent reply other threads:[~2024-07-19 19:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-19 18:22 [BUG] arch/x86/kvm/x86.c: In function ‘prepare_emulation_failure_exit’: error: use of NULL ‘data’ where non-null expected Mirsad Todorovac
2024-07-19 19:01 ` Sean Christopherson [this message]
2024-07-19 19:24 ` Mirsad Todorovac
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zpq4B2I1xcMLmuox@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=david.edmondson@oracle.com \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=mtodorovac69@gmail.com \
--cc=pbonzini@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.