restore: don't check tcore->thread_core

Submitted by Andrei Vagin on July 18, 2016, 6:40 p.m.

Details

Message ID 1468867225-3614-1-git-send-email-avagin@openvz.org
State Accepted
Series "restore: don't check tcore->thread_core"
Commit dd2c00709770325702d902f6485eab58da1e2d58
Headers show

Commit Message

Andrei Vagin July 18, 2016, 6:40 p.m.
From: Andrew Vagin <avagin@virtuozzo.com>

It is always not NULL in sigreturn_restore().

CID 164716 (#1 of 1): Dereference after null check (FORWARD_NULL)
64. var_deref_model: Passing tcore to construct_sigframe, which dereferences null tcore->thread_core. [show details]

Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
---
 criu/cr-restore.c | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

Patch hide | download patch | download mbox

diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 9fbc4c6..d1166a2 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -3086,21 +3086,19 @@  static int sigreturn_restore(pid_t pid, struct task_restore_args *task_args, uns
 
 		rst_reloc_creds(&thread_args[i], &creds_pos_next);
 
-		if (tcore->thread_core) {
-			thread_args[i].has_futex	= true;
-			thread_args[i].futex_rla	= tcore->thread_core->futex_rla;
-			thread_args[i].futex_rla_len	= tcore->thread_core->futex_rla_len;
-			thread_args[i].pdeath_sig	= tcore->thread_core->pdeath_sig;
-			if (tcore->thread_core->pdeath_sig > _KNSIG) {
-				pr_err("Pdeath signal is too big\n");
-				goto err;
-			}
-
-			ret = prep_sched_info(&thread_args[i].sp, tcore->thread_core);
-			if (ret)
-				goto err;
+		thread_args[i].has_futex	= true;
+		thread_args[i].futex_rla	= tcore->thread_core->futex_rla;
+		thread_args[i].futex_rla_len	= tcore->thread_core->futex_rla_len;
+		thread_args[i].pdeath_sig	= tcore->thread_core->pdeath_sig;
+		if (tcore->thread_core->pdeath_sig > _KNSIG) {
+			pr_err("Pdeath signal is too big\n");
+			goto err;
 		}
 
+		ret = prep_sched_info(&thread_args[i].sp, tcore->thread_core);
+		if (ret)
+			goto err;
+
 		thread_args[i].mz = mz + i;
 		sigframe = (struct rt_sigframe *)&mz[i].rt_sigframe;
 

Comments

Cyrill Gorcunov July 18, 2016, 7:25 p.m.
On Mon, Jul 18, 2016 at 09:40:25PM +0300, Andrey Vagin wrote:
> From: Andrew Vagin <avagin@virtuozzo.com>
> 
> It is always not NULL in sigreturn_restore().
> 
> CID 164716 (#1 of 1): Dereference after null check (FORWARD_NULL)
> 64. var_deref_model: Passing tcore to construct_sigframe, which dereferences null tcore->thread_core. [show details]
> 
> Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Pavel Emelianov July 21, 2016, 4:15 p.m.
Applied