Re: [PATCH RESEND v3] KVM: selftests: Initialise dynamically allocated configuration names

[Paolo Bonzini]

On 12/11/23 14:08, Mark Brown wrote:
> When we dynamically generate a name for a configuration in get-reg-list
> we use strcat() to append to a buffer allocated using malloc() but we
> never initialise that buffer. Since malloc() offers no guarantees
> regarding the contents of the memory it returns this can lead to us
> corrupting, and likely overflowing, the buffer:
>
>    vregs: PASS
>    vregs+pmu: PASS
>    sve: PASS
>    sve+pmu: PASS
>    vregs+pauth_address+pauth_generic: PASS
>    X�vr+gspauth_addre+spauth_generi+pmu: PASS
>
> Initialise the buffer to an empty string to avoid this.

> diff --git a/tools/testing/selftests/kvm/get-reg-list.c b/tools/testing/selftests/kvm/get-reg-list.c
> index be7bf5224434..dd62a6976c0d 100644
> --- a/tools/testing/selftests/kvm/get-reg-list.c
> +++ b/tools/testing/selftests/kvm/get-reg-list.c
> @@ -67,6 +67,7 @@ static const char *config_name(struct vcpu_reg_list *c)
>   
>   	c->name = malloc(len);
>   
> +	c->name[0] = '\0';
>   	len = 0;
>   	for_each_sublist(c, s) {
>   		if (!strcmp(s->name, "base"))
>  			continue;
>  		strcat(c->name + len, s->name);

This can be fixed just by s/strcat/strcpy/, but there's also an ugly 
hidden assumption that for_each_sublist runs at least one iteration of 
the loop; otherwise, the loop ends with a c->name[-1] = '\0';

>                 len += strlen(s->name) + 1;
>                 c->name[len - 1] = '+';
>         }
>         c->name[len - 1] = '\0';

Now this *is* a bit academic, but it remains the fact that all the 
invariants are screwed up and while we're fixing it we might at least 
fix it well.

So let's make the invariant that c->name[0..len-1] is initialized.  Then 
every write is done with either strcpy of c->name[len++] = '...'.

> ---
> base-commit: b85ea95d086471afb4ad062012a4d73cd328fa86
> change-id: 20231012-kvm-get-reg-list-str-init-76c8ed4e19d6
>
> Best regards,