From 6d515588a76e928042212d16555fc8b14e486cb0 Mon Sep 17 00:00:00 2001
Message-Id: <6d515588a76e928042212d16555fc8b14e486cb0.1294149299.git.jdenemar@redhat.com>
From: Eric Blake <eblake@redhat.com>
Date: Fri, 24 Dec 2010 09:52:06 -0700
Subject: [PATCH] virExec: avoid undefined behavior
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=665549
In the default RHEL case of ulimit -n being 1024, this is not an
issue. But if someone runs with a larger limit for maximum open
file descriptors, it is possible for reading beyond the fdset bounds
to cross a page boundary beyond the stack and trigger a segfault.
* src/util/util.c (__virExec): Don't use FD_ISSET on out-of-bounds fd.
(cherry picked from commit c3568ec2892c420c931c018719974c01000a18f3)
Conflicts:
src/util/util.c
---
src/util/util.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/src/util/util.c b/src/util/util.c
index a04c515..08805ae 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -569,8 +569,7 @@ __virExec(const char *const*argv,
i != null &&
i != childout &&
i != childerr &&
- (!keepfd ||
- !FD_ISSET(i, keepfd)))
+ (!keepfd || (i < FD_SETSIZE && !FD_ISSET(i, keepfd))))
close(i);
if (dup2(infd >= 0 ? infd : null, STDIN_FILENO) < 0) {
--
1.7.3.4
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
ebe084c140192657f9094e135a84202c
>
files
>
146
