From e7c7a304e8f9e0ea02e7bd4533cd71bc70089cc9 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Wed, 3 Jul 2024 22:30:02 +0200 Subject: [PATCH] virtio-devices: fix UB getting tty size TIOCGWINSZ modifies its argument, so it needs to mutably borrow it. Unfortunately, ioctl()'s signature is not able to enforce this, and the write happens in the kernel, so I don't think anything like miri, valgrind, UBSan, etc. would have been able to catch this. The UB passing an immutable reference caused resulted, for me, in get_win_size() returning (0, 0) since LLVM commit 9a09c737a052 ("[BasicAA] Make isNotCapturedBeforeOrAt() check for calls more precise (#69931)"). I've had a look through the other ioctl() calls in Cloud Hypervisor, and I don't think any others have the same problem. Signed-off-by: Alyssa Ross --- virtio-devices/src/console.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/virtio-devices/src/console.rs b/virtio-devices/src/console.rs index fcca7b6c0..f9eda350d 100644 --- a/virtio-devices/src/console.rs +++ b/virtio-devices/src/console.rs @@ -608,11 +608,11 @@ fn get_win_size(tty: &dyn AsRawFd) -> (u16, u16) { xpixel: u16, ypixel: u16, } - let ws: WindowSize = WindowSize::default(); + let mut ws: WindowSize = WindowSize::default(); // SAFETY: FFI call with correct arguments unsafe { - libc::ioctl(tty.as_raw_fd(), TIOCGWINSZ, &ws); + libc::ioctl(tty.as_raw_fd(), TIOCGWINSZ, &mut ws); } (ws.cols, ws.rows)