From patchwork Fri Aug 22 13:24:23 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Riku Voipio X-Patchwork-Id: 35801 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-ig0-f200.google.com (mail-ig0-f200.google.com [209.85.213.200]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id F032720540 for ; Fri, 22 Aug 2014 13:28:20 +0000 (UTC) Received: by mail-ig0-f200.google.com with SMTP id uq10sf48014644igb.3 for ; Fri, 22 Aug 2014 06:28:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:date :message-id:in-reply-to:references:cc:subject:precedence:list-id :list-unsubscribe:list-archive:list-post:list-help:list-subscribe :errors-to:sender:x-original-sender :x-original-authentication-results:mailing-list; bh=719556e6l4hwD1Zweh5Rd4sjbCSF6Wle7UHJff6dhTc=; b=jeetUYGSHGzJkR2Gs/D12E1hIFVL6SJbqIAMGFFxus4552PPHXk0Q1TAVv5LzbIsTB LYEJKWa1EghIjB72ZhQQlr05dTjodjSqGgSCIX/n2UvvfMsUWe79aE4EjN9co46JrAem b9kXdNatr2BnNGqvP86K/FJEKkoNbrjJ1JBArPC5AO1ymvEytopfKv5iIzZ6wQuKa2xY nJXJV8aa4wZ7+JpAU0Fgk4lPjBy8Hu2gIi2odRB3zY3m69pyD6gysJ6xJnU8G6KdUWtm hQEDVKlcz9gLz/+bzNLem2ovbNF40hiTL3EADLkczRg6e/JgqbYndXzZZtjnzPNjRytm p0Mg== X-Gm-Message-State: ALoCoQnD7UYej5AnSDAhaOasgsBMrw3f5osLnOMt0N2Pzg+oMKsptxWScJraCdRw/JsrMkCmrMFE X-Received: by 10.182.171.67 with SMTP id as3mr2413251obc.34.1408714100453; Fri, 22 Aug 2014 06:28:20 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.49.235 with SMTP id q98ls1186598qga.91.gmail; Fri, 22 Aug 2014 06:28:20 -0700 (PDT) X-Received: by 10.220.44.136 with SMTP id a8mr212475vcf.42.1408714100243; Fri, 22 Aug 2014 06:28:20 -0700 (PDT) Received: from mail-vc0-f169.google.com (mail-vc0-f169.google.com [209.85.220.169]) by mx.google.com with ESMTPS id vk8si11841434vdc.82.2014.08.22.06.28.20 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 22 Aug 2014 06:28:20 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.169 as permitted sender) client-ip=209.85.220.169; Received: by mail-vc0-f169.google.com with SMTP id le20so12535305vcb.0 for ; Fri, 22 Aug 2014 06:28:20 -0700 (PDT) X-Received: by 10.220.96.137 with SMTP id h9mr170356vcn.46.1408714100178; Fri, 22 Aug 2014 06:28:20 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.221.45.67 with SMTP id uj3csp16870vcb; Fri, 22 Aug 2014 06:28:19 -0700 (PDT) X-Received: by 10.224.114.74 with SMTP id d10mr7915371qaq.33.1408714099530; Fri, 22 Aug 2014 06:28:19 -0700 (PDT) Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id a4si42215486qae.107.2014.08.22.06.28.19 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 22 Aug 2014 06:28:19 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Received: from localhost ([::1]:37088 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XKot9-0007gY-00 for patch@linaro.org; Fri, 22 Aug 2014 09:28:19 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55353) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XKopn-0006VH-0o for qemu-devel@nongnu.org; Fri, 22 Aug 2014 09:24:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XKopg-0002CM-Vv for qemu-devel@nongnu.org; Fri, 22 Aug 2014 09:24:50 -0400 Received: from [2001:4b98:dc0:45:216:3eff:fe3d:166f] (port=54456 helo=afflict.kos.to) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XKopg-0002B8-Oq for qemu-devel@nongnu.org; Fri, 22 Aug 2014 09:24:44 -0400 Received: from afflict.kos.to (afflict [92.243.29.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by afflict.kos.to (Postfix) with ESMTPSA id 8F5A7264DC; Fri, 22 Aug 2014 15:24:42 +0200 (CEST) From: riku.voipio@linaro.org To: Peter Maydell , qemu-devel@nongnu.org Date: Fri, 22 Aug 2014 16:24:23 +0300 Message-Id: X-Mailer: git-send-email 1.7.10.4 In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 2001:4b98:dc0:45:216:3eff:fe3d:166f Cc: Mike Frysinger Subject: [Qemu-devel] [PULL v3 05/22] linux-user: fix readlink handling with magic exe symlink X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: riku.voipio@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.169 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 From: Mike Frysinger The current code always returns the length of the path when it should be returning the number of bytes it wrote to the output string. Further, readlink is not supposed to append a NUL byte, but the current snprintf logic will always do just that. Even further, if you pass in a length of 0, you're suppoesd to get back an error (EINVAL), but the current logic just returns 0. Further still, if there was an error reading the symlink, we should not go ahead and try to read the target buffer as it is garbage. Simple test for the first two issues: $ cat test.c int main() { char buf[50]; size_t len; for (len = 0; len < 10; ++len) { memset(buf, '!', sizeof(buf)); ssize_t ret = readlink("/proc/self/exe", buf, len); buf[20] = '\0'; printf("readlink(/proc/self/exe, {%s}, %zu) = %zi\n", buf, len, ret); } return 0; } Now compare the output of the native: $ gcc test.c -o /tmp/x $ /tmp/x $ strace /tmp/x With what qemu does: $ armv7a-cros-linux-gnueabi-gcc test.c -o /tmp/x -static $ qemu-arm /tmp/x $ qemu-arm -strace /tmp/x Signed-off-by: Mike Frysinger Signed-off-by: Riku Voipio --- linux-user/syscall.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index fccf9f0..7c108ab 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -6636,11 +6636,22 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, p2 = lock_user(VERIFY_WRITE, arg2, arg3, 0); if (!p || !p2) { ret = -TARGET_EFAULT; + } else if (!arg3) { + /* Short circuit this for the magic exe check. */ + ret = -TARGET_EINVAL; } else if (is_proc_myself((const char *)p, "exe")) { char real[PATH_MAX], *temp; temp = realpath(exec_path, real); - ret = temp == NULL ? get_errno(-1) : strlen(real) ; - snprintf((char *)p2, arg3, "%s", real); + /* Return value is # of bytes that we wrote to the buffer. */ + if (temp == NULL) { + ret = get_errno(-1); + } else { + /* Don't worry about sign mismatch as earlier mapping + * logic would have thrown a bad address error. */ + ret = MIN(strlen(real), arg3); + /* We cannot NUL terminate the string. */ + memcpy(p2, real, ret); + } } else { ret = get_errno(readlink(path(p), p2, arg3)); }