On 4 February 2013 18:38, Eric Blake <ebl...@redhat.com> wrote:
> On 02/02/2013 04:04 PM, dill...@dillona.com wrote:
>> -
>> - grouplist = alloca(gidsetsize * sizeof(gid_t));
>> - target_grouplist = lock_user(VERIFY_READ, arg2, gidsetsize * 2,
>> 1);
>> - if (!target_grouplist) {
>> - ret = -TARGET_EFAULT;
>> - goto fail;
>> + if (gidsetsize) {
>> + grouplist = alloca(gidsetsize * sizeof(gid_t));
>
> Is this alloca() safe, or are you risking stack overflow if the user
> passes an extremely large arg1?
No, the linux-user has a number of long-standing not-terribly-safe
alloca calls like this. If anybody wants to go through and fix them
patches are welcome, but I don't think it's fair to require them
to be fixed in order to get fairly simple patches like this in,
where the patch is merely reindenting existing dubious code, not
adding to the problem.
-- PMM
