From patchwork Tue Nov 11 06:50:37 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Riku Voipio X-Patchwork-Id: 40559 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-lb0-f198.google.com (mail-lb0-f198.google.com [209.85.217.198]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 2A169241C9 for ; Tue, 11 Nov 2014 06:51:52 +0000 (UTC) Received: by mail-lb0-f198.google.com with SMTP id 10sf4927593lbg.9 for ; Mon, 10 Nov 2014 22:51:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:date :message-id:in-reply-to:references:cc:subject:precedence:list-id :list-unsubscribe:list-archive:list-post:list-help:list-subscribe :errors-to:sender:x-original-sender :x-original-authentication-results:mailing-list; bh=0zjPLI6F8+nu+bul5ITSkun4eVKtF6ki3PesazmxFJQ=; b=AQV/Q/wY0w+4QfgRb5hYHCIHzG1uyJywBT7EgAltCNY3NwYfhyR9k8U6fUgsgl5/vi 8gwQKr2tC61bg5FviRBMgRcEBZgU3ozjKs6Hx8HDVULNFsqDq6OTk9l06tGFZDqiUbdI sB3VG+3ByHcfLq2MoYE82afP8CNo37G98Zjp8DvLDkMJUmqCZthimciDZ1h2kqOwMYL4 oFdiTmWBX31UFnevgovCBjpyvsgYiUzVO4+ENztvvu1vAhjZsHGpeZUNp1zqH5gMOR2n iOkX6xj/isCheRCPxOCcyUDVnoMB3Yq2PjSfJTE6ilWq1wWiGStsBumsUYX6GKJXL10+ GNjw== X-Gm-Message-State: ALoCoQkRZTKxJVmxxr1CkUDDaqNBO6jKH+/A9vekOY6ervf6fEoWG/FoKmpfYoDe9LmnsssdY9Kf X-Received: by 10.180.182.164 with SMTP id ef4mr4943322wic.0.1415688711108; Mon, 10 Nov 2014 22:51:51 -0800 (PST) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.152.23.130 with SMTP id m2ls138238laf.63.gmail; Mon, 10 Nov 2014 22:51:50 -0800 (PST) X-Received: by 10.112.150.136 with SMTP id ui8mr7208735lbb.60.1415688710481; Mon, 10 Nov 2014 22:51:50 -0800 (PST) Received: from mail-la0-f43.google.com (mail-la0-f43.google.com. [209.85.215.43]) by mx.google.com with ESMTPS id be15si1531398lab.113.2014.11.10.22.51.50 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Nov 2014 22:51:50 -0800 (PST) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.43 as permitted sender) client-ip=209.85.215.43; Received: by mail-la0-f43.google.com with SMTP id ge10so9051530lab.2 for ; Mon, 10 Nov 2014 22:51:50 -0800 (PST) X-Received: by 10.112.235.196 with SMTP id uo4mr24920506lbc.66.1415688710324; Mon, 10 Nov 2014 22:51:50 -0800 (PST) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.184.201 with SMTP id ew9csp212539lbc; Mon, 10 Nov 2014 22:51:49 -0800 (PST) X-Received: by 10.194.77.233 with SMTP id v9mr50193632wjw.24.1415688709465; Mon, 10 Nov 2014 22:51:49 -0800 (PST) Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id gs8si21599844wib.50.2014.11.10.22.51.48 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 10 Nov 2014 22:51:49 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Received: from localhost ([::1]:47072 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xo5Ip-00010C-9D for patch@linaro.org; Tue, 11 Nov 2014 01:51:47 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54196) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xo5Hu-00006T-Os for qemu-devel@nongnu.org; Tue, 11 Nov 2014 01:50:55 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xo5Hl-0002mq-Go for qemu-devel@nongnu.org; Tue, 11 Nov 2014 01:50:50 -0500 Received: from [2001:4b98:dc0:45:216:3eff:fe3d:166f] (port=39924 helo=afflict.kos.to) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xo5Hl-0002lz-5N for qemu-devel@nongnu.org; Tue, 11 Nov 2014 01:50:41 -0500 Received: from afflict.kos.to (afflict [92.243.29.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by afflict.kos.to (Postfix) with ESMTPSA id 6D1E7264D8; Tue, 11 Nov 2014 07:50:38 +0100 (CET) From: riku.voipio@linaro.org To: qemu-devel@nongnu.org Date: Tue, 11 Nov 2014 08:50:37 +0200 Message-Id: X-Mailer: git-send-email 1.7.10.4 In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 2001:4b98:dc0:45:216:3eff:fe3d:166f Cc: Peter Maydell , Alexander Graf Subject: [Qemu-devel] [PULL 2/2] linux-user: Fix up timer id handling X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: riku.voipio@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.43 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 From: Alexander Graf When creating a timer handle, we give the timer id a special magic offset of 0xcafe0000. However, we never mask that offset out of the timer id before we start using it to dereference our timer array. So we always end up aborting timer operations because the timer id is out of bounds. This was not an issue before my patch e52a99f756e ("linux-user: Simplify timerid checks on g_posix_timers range") because before we would blindly mask anything above the first 16 bits. This patch simplifies the code around timer id creation by introducing a proper target_timer_id typedef that is s32, just like Linux has it. It also changes the magic offset to a value that makes all timer ids be positive. Reported-by: Tom Musta Signed-off-by: Alexander Graf Reviewed-by: Peter Maydell Reviewed-by: Tom Musta Tested-by: Tom Musta Signed-off-by: Riku Voipio --- linux-user/syscall.c | 54 ++++++++++++++++++++++++++++++++--------------- linux-user/syscall_defs.h | 5 +---- 2 files changed, 38 insertions(+), 21 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index a175cc1..aaac6a2 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -5473,6 +5473,27 @@ static int do_openat(void *cpu_env, int dirfd, const char *pathname, int flags, return get_errno(sys_openat(dirfd, path(pathname), flags, mode)); } +#define TIMER_MAGIC 0x0caf0000 +#define TIMER_MAGIC_MASK 0xffff0000 + +/* Convert QEMU provided timer ID back to internal 16bit index format */ +static target_timer_t get_timer_id(abi_long arg) +{ + target_timer_t timerid = arg; + + if ((timerid & TIMER_MAGIC_MASK) != TIMER_MAGIC) { + return -TARGET_EINVAL; + } + + timerid &= 0xffff; + + if (timerid >= ARRAY_SIZE(g_posix_timers)) { + return -TARGET_EINVAL; + } + + return timerid; +} + /* do_syscall() should always have a single exit point at the end so that actions, such as logging of syscall results, can be performed. All errnos that do_syscall() returns must be -TARGET_. */ @@ -9579,7 +9600,6 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, /* args: clockid_t clockid, struct sigevent *sevp, timer_t *timerid */ struct sigevent host_sevp = { {0}, }, *phost_sevp = NULL; - struct target_timer_t *ptarget_timer; int clkid = arg1; int timer_index = next_free_host_timer(); @@ -9601,11 +9621,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, if (ret) { phtimer = NULL; } else { - if (!lock_user_struct(VERIFY_WRITE, ptarget_timer, arg3, 1)) { + if (put_user(TIMER_MAGIC | timer_index, arg3, target_timer_t)) { goto efault; } - ptarget_timer->ptr = tswap32(0xcafe0000 | timer_index); - unlock_user_struct(ptarget_timer, arg3, 1); } } break; @@ -9617,9 +9635,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, { /* args: timer_t timerid, int flags, const struct itimerspec *new_value, * struct itimerspec * old_value */ - target_ulong timerid = arg1; + target_timer_t timerid = get_timer_id(arg1); - if (arg3 == 0 || timerid >= ARRAY_SIZE(g_posix_timers)) { + if (timerid < 0) { + ret = timerid; + } else if (arg3 == 0) { ret = -TARGET_EINVAL; } else { timer_t htimer = g_posix_timers[timerid]; @@ -9638,12 +9658,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, case TARGET_NR_timer_gettime: { /* args: timer_t timerid, struct itimerspec *curr_value */ - target_ulong timerid = arg1; + target_timer_t timerid = get_timer_id(arg1); - if (!arg2) { - return -TARGET_EFAULT; - } else if (timerid >= ARRAY_SIZE(g_posix_timers)) { - ret = -TARGET_EINVAL; + if (timerid < 0) { + ret = timerid; + } else if (!arg2) { + ret = -TARGET_EFAULT; } else { timer_t htimer = g_posix_timers[timerid]; struct itimerspec hspec; @@ -9661,10 +9681,10 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, case TARGET_NR_timer_getoverrun: { /* args: timer_t timerid */ - target_ulong timerid = arg1; + target_timer_t timerid = get_timer_id(arg1); - if (timerid >= ARRAY_SIZE(g_posix_timers)) { - ret = -TARGET_EINVAL; + if (timerid < 0) { + ret = timerid; } else { timer_t htimer = g_posix_timers[timerid]; ret = get_errno(timer_getoverrun(htimer)); @@ -9677,10 +9697,10 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, case TARGET_NR_timer_delete: { /* args: timer_t timerid */ - target_ulong timerid = arg1; + target_timer_t timerid = get_timer_id(arg1); - if (timerid >= ARRAY_SIZE(g_posix_timers)) { - ret = -TARGET_EINVAL; + if (timerid < 0) { + ret = timerid; } else { timer_t htimer = g_posix_timers[timerid]; ret = get_errno(timer_delete(htimer)); diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h index c9e6323..ebb3be1 100644 --- a/linux-user/syscall_defs.h +++ b/linux-user/syscall_defs.h @@ -2564,10 +2564,7 @@ struct target_ucred { #endif - -struct target_timer_t { - abi_ulong ptr; -}; +typedef int32_t target_timer_t; #define TARGET_SIGEV_MAX_SIZE 64