From 6d515588a76e928042212d16555fc8b14e486cb0 Mon Sep 17 00:00:00 2001 Message-Id: <6d515588a76e928042212d16555fc8b14e486cb0.1294149299.git.jdenemar@redhat.com> From: Eric Blake <eblake@redhat.com> Date: Fri, 24 Dec 2010 09:52:06 -0700 Subject: [PATCH] virExec: avoid undefined behavior Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=665549 In the default RHEL case of ulimit -n being 1024, this is not an issue. But if someone runs with a larger limit for maximum open file descriptors, it is possible for reading beyond the fdset bounds to cross a page boundary beyond the stack and trigger a segfault. * src/util/util.c (__virExec): Don't use FD_ISSET on out-of-bounds fd. (cherry picked from commit c3568ec2892c420c931c018719974c01000a18f3) Conflicts: src/util/util.c --- src/util/util.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/src/util/util.c b/src/util/util.c index a04c515..08805ae 100644 --- a/src/util/util.c +++ b/src/util/util.c @@ -569,8 +569,7 @@ __virExec(const char *const*argv, i != null && i != childout && i != childerr && - (!keepfd || - !FD_ISSET(i, keepfd))) + (!keepfd || (i < FD_SETSIZE && !FD_ISSET(i, keepfd)))) close(i); if (dup2(infd >= 0 ? infd : null, STDIN_FILENO) < 0) { -- 1.7.3.4