From patchwork Thu Sep 22 12:13:26 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Riku Voipio X-Patchwork-Id: 76753 Delivered-To: patch@linaro.org Received: by 10.140.106.72 with SMTP id d66csp167qgf; Thu, 22 Sep 2016 05:22:28 -0700 (PDT) X-Received: by 10.55.58.65 with SMTP id h62mr1049419qka.85.1474546948842; Thu, 22 Sep 2016 05:22:28 -0700 (PDT) Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id a25si926936qkj.311.2016.09.22.05.22.28 for (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 22 Sep 2016 05:22:28 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; dkim=fail header.i=@linaro.org; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org; dmarc=fail (p=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:43044 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bn31I-0005UW-6D for patch@linaro.org; Thu, 22 Sep 2016 08:22:28 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53055) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bn2u5-0008Cx-Pn for qemu-devel@nongnu.org; Thu, 22 Sep 2016 08:15:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bn2u4-0006Of-3f for qemu-devel@nongnu.org; Thu, 22 Sep 2016 08:15:01 -0400 Received: from mail-lf0-f47.google.com ([209.85.215.47]:33124) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bn2u3-0006Nw-RY for qemu-devel@nongnu.org; Thu, 22 Sep 2016 08:15:00 -0400 Received: by mail-lf0-f47.google.com with SMTP id b71so38930840lfg.0 for ; Thu, 22 Sep 2016 05:14:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=W/9OQ/LDBDRy1/kJMOd+cgvmbavKE9WWmSyoWZCpmls=; b=OnpgnK4Jr8RkX/ObGVLygKEWTpmG3jh0NYJjJYaI7erBiPHyLEPHnnv4DBizJMe6Yn cpcFHCKGZewp3QxhPxhxPjLyPCW2ekYjWDCNi+124NCldvgGioAjpEHvhBsbDLE0pSx3 wlZFADOsr3++CmsDle8zBKmcWTrfgwIBoZ/10= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=W/9OQ/LDBDRy1/kJMOd+cgvmbavKE9WWmSyoWZCpmls=; b=Imue+Q/k2J1ETxpIDPNDywz2jxxh2psDFW57pxOmBR53PyBZ9MZSc4/9nKOX4871zA W7GTwNxKcw4Tf8AWANlFfuL5bxPGBy42D+DUmPOhhsLNDapfex537NeywaZ1CUzCHM5R Xw/MCcWVcwy7UN3Vf64sfhixT5pQNqyRRrfQEtb0NIDwwCvBSfyQTX5yesKGnj4uCwNs rumgfC+w1a5AFTNcf8BD09a3qSaqHO0KeCrcWwW4elxKUdSMV2srSE5Is6vKeHL7TWk5 gFclwwRK+tY1iJJ0E8ds3aLexAxtAL4GgXI8lshqC5oi1CbnBuksAI6KhF7EM4J0/k/S idjQ== X-Gm-Message-State: AE9vXwMSLKXCEkzipiQyG9yaiCBsXyXtSavdinIdUttGWTqTd6qv0IwU3KhWBNwKE8bTGbvq X-Received: by 10.25.201.81 with SMTP id z78mr593320lff.113.1474546439092; Thu, 22 Sep 2016 05:13:59 -0700 (PDT) Received: from beaming.home (91-157-170-157.elisa-laajakaista.fi. [91.157.170.157]) by smtp.gmail.com with ESMTPSA id u14sm294378lja.11.2016.09.22.05.13.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 22 Sep 2016 05:13:58 -0700 (PDT) From: riku.voipio@linaro.org To: qemu-devel@nongnu.org Date: Thu, 22 Sep 2016 15:13:26 +0300 Message-Id: <2ba7fae3bd688f5bb6cb08defc731d77e6bd943c.1474546244.git.riku.voipio@linaro.org> X-Mailer: git-send-email 2.1.4 In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.85.215.47 Subject: [Qemu-devel] [PULL 06/26] linux-user: Check for bad event numbers in epoll_wait X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell The kernel checks that the maxevents parameter to epoll_wait is non-negative and not larger than EP_MAX_EVENTS. Add this check to our implementation, so that: * we fail these cases EINVAL rather than EFAULT * we don't pass negative or overflowing values to the lock_user() size calculation Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/syscall.c | 5 +++++ linux-user/syscall_defs.h | 3 +++ 2 files changed, 8 insertions(+) -- 2.1.4 diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 21ae996..eecccbb 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -11501,6 +11501,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, int maxevents = arg3; int timeout = arg4; + if (maxevents <= 0 || maxevents > TARGET_EP_MAX_EVENTS) { + ret = -TARGET_EINVAL; + break; + } + target_ep = lock_user(VERIFY_WRITE, arg2, maxevents * sizeof(struct target_epoll_event), 1); if (!target_ep) { diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h index c0e5cb0..5c19c5c 100644 --- a/linux-user/syscall_defs.h +++ b/linux-user/syscall_defs.h @@ -2585,6 +2585,9 @@ struct target_epoll_event { abi_uint events; target_epoll_data_t data; } TARGET_EPOLL_PACKED; + +#define TARGET_EP_MAX_EVENTS (INT_MAX / sizeof(struct target_epoll_event)) + #endif struct target_rlimit64 { uint64_t rlim_cur;