qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine()

When the length of mname is less than 5, memcpy("xenfv", mname, 5) will cause heap buffer overflow. Therefore, use strncmp to avoid this problem. The asan showed stack: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f2f4 at pc 0x7f65d8cc2225 bp 0x7ffe93cc5a60 sp 0x7ffe93cc5208 READ of size 5 at 0x60200000f2f4 thread T0 #0 0x7f65d8cc2224 in memcmp (/lib64/libasan.so.5+0xdf224) #1 0x5632c20be95b in qtest_cb_for_every_machine tests/qtest/libqtest.c:1282 qemu#2 0x5632c20b7995 in main tests/qtest/test-hmp.c:160 qemu#3 0x7f65d88fed42 in __libc_start_main (/lib64/libc.so.6+0x26d42) qemu#4 0x5632c20b72cd in _start (build/tests/qtest/test-hmp+0x542cd) Reported-by: Euler Robot <[email protected]> Signed-off-by: Gan Qixin <[email protected]> Reviewed-by: Laurent Vivier <[email protected]> Message-Id: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>
daynix · Jan 11, 2021 · 661465c · 661465c
1 parent b115ea3
commit 661465c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
@@ -1279,7 +1279,7 @@ void qtest_cb_for_every_machine(void (*cb)(const char *machine),
         g_assert(qstr);
         mname = qstring_get_str(qstr);
         /* Ignore machines that cannot be used for qtests */
-        if (!memcmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) {
+        if (!strncmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) {
             continue;
         }
         if (!skip_old_versioned || !qtest_is_old_versioned_machine(mname)) {