From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1J28CF-0005Ol-U8
	for qemu-devel@nongnu.org; Tue, 11 Dec 2007 11:43:04 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1J28CE-0005Mh-CT
	for qemu-devel@nongnu.org; Tue, 11 Dec 2007 11:43:03 -0500
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1J28CD-0005MQ-Vr
	for qemu-devel@nongnu.org; Tue, 11 Dec 2007 11:43:02 -0500
Received: from owa.c2.net ([207.235.78.2] helo=email.c2.net)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <thayne@c2.net>) id 1J28CD-0002uC-N4
	for qemu-devel@nongnu.org; Tue, 11 Dec 2007 11:43:01 -0500
From: Thayne Harbaugh <thayne@c2.net>
Content-Type: multipart/mixed; boundary="=-4r23FCDTVF7E6xEZV/10"
Date: Tue, 11 Dec 2007 09:34:03 -0700
Message-Id: <1197390843.2947.41.camel@phantasm.home.enterpriseandprosperity.com>
Mime-Version: 1.0
Subject: [Qemu-devel] [BUG][PATCH] execve processesing NULL args
Reply-To: thayne@c2.net, qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org


--=-4r23FCDTVF7E6xEZV/10
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Here's a patch to avoid processing NULL args in execve.  It prevents
trying to dereference NULL.


--=-4r23FCDTVF7E6xEZV/10
Content-Disposition: attachment; filename=50_execve_null_args.patch
Content-Type: text/x-patch; name=50_execve_null_args.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit

Index: qemu/linux-user/syscall.c
===================================================================
--- qemu.orig/linux-user/syscall.c	2007-11-19 20:45:20.000000000 -0700
+++ qemu/linux-user/syscall.c	2007-11-19 20:48:54.000000000 -0700
@@ -3515,7 +3515,7 @@
 
             argc = 0;
             guest_argp = arg2;
-            for (gp = guest_argp; ; gp += sizeof(abi_ulong)) {
+            for (gp = guest_argp; gp; gp += sizeof(abi_ulong)) {
                 if (get_user_ual(addr, gp))
                     goto efault;
                 if (!addr)
@@ -3524,7 +3524,7 @@
             }
             envc = 0;
             guest_envp = arg3;
-            for (gp = guest_envp; ; gp += sizeof(abi_ulong)) {
+            for (gp = guest_envp; gp; gp += sizeof(abi_ulong)) {
                 if (get_user_ual(addr, gp))
                     goto efault;
                 if (!addr)
@@ -3535,7 +3535,7 @@
             argp = alloca((argc + 1) * sizeof(void *));
             envp = alloca((envc + 1) * sizeof(void *));
 
-            for (gp = guest_argp, q = argp; ;
+            for (gp = guest_argp, q = argp; gp;
                   gp += sizeof(abi_ulong), q++) {
                 if (get_user_ual(addr, gp))
                     goto execve_efault;
@@ -3546,7 +3546,7 @@
             }
             *q = NULL;
 
-            for (gp = guest_envp, q = envp; ;
+            for (gp = guest_envp, q = envp; gp;
                   gp += sizeof(abi_ulong), q++) {
                 if (get_user_ual(addr, gp))
                     goto execve_efault;
@@ -3568,14 +3568,14 @@
             ret = -TARGET_EFAULT;
 
         execve_end:
-            for (gp = guest_argp, q = argp; *q;
+            for (gp = guest_argp, q = argp; gp && *q;
                   gp += sizeof(abi_ulong), q++) {
                 if (get_user_ual(addr, gp)
                     || !addr)
                     break;
                 unlock_user(*q, addr, 0);
             }
-            for (gp = guest_envp, q = envp; *q;
+            for (gp = guest_envp, q = envp; gp && *q;
                   gp += sizeof(abi_ulong), q++) {
                 if (get_user_ual(addr, gp)
                     || !addr)

--=-4r23FCDTVF7E6xEZV/10--