From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50839)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <armbru@redhat.com>) id 1WHvwv-0007rn-7M
	for qemu-devel@nongnu.org; Mon, 24 Feb 2014 08:52:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <armbru@redhat.com>) id 1WHvwp-0005ex-7k
	for qemu-devel@nongnu.org; Mon, 24 Feb 2014 08:52:01 -0500
Received: from mx1.redhat.com ([209.132.183.28]:62925)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <armbru@redhat.com>) id 1WHvwp-0005eg-0a
	for qemu-devel@nongnu.org; Mon, 24 Feb 2014 08:51:55 -0500
From: Markus Armbruster <armbru@redhat.com>
Date: Mon, 24 Feb 2014 14:51:48 +0100
Message-Id: <1393249909-11202-2-git-send-email-armbru@redhat.com>
In-Reply-To: <1393249909-11202-1-git-send-email-armbru@redhat.com>
References: <1393249909-11202-1-git-send-email-armbru@redhat.com>
Subject: [Qemu-devel] [PATCH v2 1/2] vfio: Fix overrun after readlink()
	fills buffer completely
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: peter.maydell@linaro.org, alex.williamson@redhat.com

readlink() returns the number of bytes written to the buffer, and it
doesn't write a terminating null byte.  vfio_init() writes it itself.
Overruns the buffer when readlink() filled it completely.

Fix by treating readlink() filling the buffer completely as error,
like we do in pci-assign.c's assign_failed_examine().

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
 hw/misc/vfio.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index 8db182f..e669bbe 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -3681,10 +3681,10 @@ static int vfio_initfn(PCIDevice *pdev)
 
     strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1);
 
-    len = readlink(path, iommu_group_path, PATH_MAX);
-    if (len <= 0) {
+    len = readlink(path, iommu_group_path, sizeof(path));
+    if (len <= 0 || len >= sizeof(path)) {
         error_report("vfio: error no iommu_group for device");
-        return -errno;
+        return len < 0 ? -errno : ENAMETOOLONG;
     }
 
     iommu_group_path[len] = 0;
-- 
1.8.1.4