From patchwork Wed May 25 10:32:02 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Riku Voipio X-Patchwork-Id: 68571 Delivered-To: patch@linaro.org Received: by 10.140.92.199 with SMTP id b65csp1139273qge; Wed, 25 May 2016 03:55:30 -0700 (PDT) X-Received: by 10.55.152.68 with SMTP id a65mr2791219qke.52.1464173730161; Wed, 25 May 2016 03:55:30 -0700 (PDT) Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id b33si7257774qkh.75.2016.05.25.03.55.30 for (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 25 May 2016 03:55:30 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; dkim=fail header.i=@linaro.org; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org; dmarc=fail (p=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:58906 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b5WTJ-0004lL-LH for patch@linaro.org; Wed, 25 May 2016 06:55:29 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42017) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b5W7T-0001XP-4w for qemu-devel@nongnu.org; Wed, 25 May 2016 06:33:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b5W7F-0003P8-Fh for qemu-devel@nongnu.org; Wed, 25 May 2016 06:32:54 -0400 Received: from mail-lf0-x22d.google.com ([2a00:1450:4010:c07::22d]:35148) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b5W7E-0003Nn-Mg for qemu-devel@nongnu.org; Wed, 25 May 2016 06:32:41 -0400 Received: by mail-lf0-x22d.google.com with SMTP id w16so4194173lfd.2 for ; Wed, 25 May 2016 03:32:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=+clAu9B3sDWN53uRQEb7vQbRv2BiBwftB3sKMALIdaM=; b=TxVgtIQU27VsX4vixizB7HbzH0Eq4Yy2i6lVxL5bQdwMKugs5n9AIt57V2SpSfLXh2 gBz3zEqJamYiYprdw21eer2u+4/5StSVVXADWoQuyl8K1XZrx6ccaupSkhfd+5kfd8/L sZMm8DF6kpyE9UGW5p5E1hlhZQlCuoEmBLgwc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=+clAu9B3sDWN53uRQEb7vQbRv2BiBwftB3sKMALIdaM=; b=T5iKylsb3eZy3OXcRkv5ifCehf3haSJgYfEhfI+MhtjHylGqzAIbeiWj+GAXDyCA07 j4PJTZXtVR2YIqwWMByMGATrKWR9qNU+HdDoSdEmcPzz0F4Rs1SJ6SSwRBFd1Ppj2BIM Mvx5C5phg+fpuKHim8U/LWUdNoNVV1NpQkdzM0jA/ZMILM6ZBm+MEwbcR07zXsjTjLL+ QHVsxOvzQofwu45wG2NZ7fc0C9Lw09zviz6Y6kYlVbHDsQ0ehTqzWmoON/CY7mQ05o0C XKTWehU6vrcDCGpFQ0yEBY1UqB42HfoyMQWQTd4fl9MgfKflPVHUfW0h6kK1MZPKNVHP FX2w== X-Gm-Message-State: ALyK8tIoPNf9u2+vFQx7zSH8IWAtkb/2PcGL4MNdmxrjw/SDVs9KZLg3S9aLDOi0QRktO/vI X-Received: by 10.25.81.148 with SMTP id f142mr576851lfb.206.1464172359982; Wed, 25 May 2016 03:32:39 -0700 (PDT) Received: from beaming.home (91-157-168-132.elisa-laajakaista.fi. [91.157.168.132]) by smtp.gmail.com with ESMTPSA id o75sm1379610lfi.9.2016.05.25.03.32.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 25 May 2016 03:32:38 -0700 (PDT) From: riku.voipio@linaro.org To: qemu-devel@nongnu.org Date: Wed, 25 May 2016 13:32:02 +0300 Message-Id: X-Mailer: git-send-email 2.1.4 In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:4010:c07::22d Subject: [Qemu-devel] [PULL 30/38] linux-user: Handle msgrcv error case correctly X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell The msgrcv ABI is a bit odd -- the msgsz argument is a size_t, which is unsigned, but it must fail EINVAL if the value is negative when cast to a long. We were incorrectly passing the value through an "unsigned int", which meant that if the guest was 32-bit longs and the host was 64-bit longs an input of 0xffffffff (which should trigger EINVAL) would simply be passed to the host msgrcv() as 0xffffffff, where it does not cause the host kernel to reject it. Follow the same approach as do_msgsnd() in using a ssize_t and doing the check for negative values by hand, so we correctly fail in this corner case. This fixes the msgrcv03 Linux Test Project test case, which otherwise hangs. Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/syscall.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) -- 2.1.4 diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 6c4f5c6..cec5b80 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -3152,7 +3152,7 @@ static inline abi_long do_msgsnd(int msqid, abi_long msgp, } static inline abi_long do_msgrcv(int msqid, abi_long msgp, - unsigned int msgsz, abi_long msgtyp, + ssize_t msgsz, abi_long msgtyp, int msgflg) { struct target_msgbuf *target_mb; @@ -3160,6 +3160,10 @@ static inline abi_long do_msgrcv(int msqid, abi_long msgp, struct msgbuf *host_mb; abi_long ret = 0; + if (msgsz < 0) { + return -TARGET_EINVAL; + } + if (!lock_user_struct(VERIFY_WRITE, target_mb, msgp, 0)) return -TARGET_EFAULT;