| Message ID | 1468852560-9054-3-git-send-email-peter.maydell@linaro.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Ping? It looks like patch 1/2 of this series got into the recent linux-user pullreq, but this one (2/2) didn't. Do you want a resend as a standalone patch? thanks -- PMM On 18 July 2016 at 15:36, Peter Maydell <peter.maydell@linaro.org> wrote: > The epoll event array which epoll_wait() allocates has a size > determined by the guest which could potentially be quite large. > Use g_try_new() rather than alloca() so that we can fail more > cleanly if the guest hands us an oversize value. (ENOMEM is > not a documented return value for epoll_wait() but in practice > some kernel configurations can return it -- see for instance > sys_oabi_epoll_wait() on ARM.) > > This rearrangement includes fixing a bug where we were > incorrectly passing a negative length to unlock_user() in > the error-exit codepath. > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > linux-user/syscall.c | 17 +++++++++++++---- > 1 file changed, 13 insertions(+), 4 deletions(-) > > diff --git a/linux-user/syscall.c b/linux-user/syscall.c > index 3552295..721d7b1 100644 > --- a/linux-user/syscall.c > +++ b/linux-user/syscall.c > @@ -11035,7 +11035,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > goto efault; > } > > - ep = alloca(maxevents * sizeof(struct epoll_event)); > + ep = g_try_new(struct epoll_event, maxevents); > + if (!ep) { > + unlock_user(target_ep, arg2, 0); > + ret = -TARGET_ENOMEM; > + break; > + } > > switch (num) { > #if defined(TARGET_NR_epoll_pwait) > @@ -11053,8 +11058,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > target_set = lock_user(VERIFY_READ, arg5, > sizeof(target_sigset_t), 1); > if (!target_set) { > - unlock_user(target_ep, arg2, 0); > - goto efault; > + ret = -TARGET_EFAULT; > + break; > } > target_to_host_sigset(set, target_set); > unlock_user(target_set, arg5, 0); > @@ -11082,8 +11087,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > target_ep[i].events = tswap32(ep[i].events); > target_ep[i].data.u64 = tswap64(ep[i].data.u64); > } > + unlock_user(target_ep, arg2, > + ret * sizeof(struct target_epoll_event)); > + } else { > + unlock_user(target_ep, arg2, 0); > } > - unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event)); > + g_free(ep); > break; > } > #endif > -- > 1.9.1
On Tue, Oct 04, 2016 at 02:09:33PM +0100, Peter Maydell wrote: > Ping? It looks like patch 1/2 of this series got into the > recent linux-user pullreq, but this one (2/2) didn't. Do > you want a resend as a standalone patch? No need, I've pulled it from patchwork, for some reason this didn't get to my mailbox... > On 18 July 2016 at 15:36, Peter Maydell <peter.maydell@linaro.org> wrote: > > The epoll event array which epoll_wait() allocates has a size > > determined by the guest which could potentially be quite large. > > Use g_try_new() rather than alloca() so that we can fail more > > cleanly if the guest hands us an oversize value. (ENOMEM is > > not a documented return value for epoll_wait() but in practice > > some kernel configurations can return it -- see for instance > > sys_oabi_epoll_wait() on ARM.) > > > > This rearrangement includes fixing a bug where we were > > incorrectly passing a negative length to unlock_user() in > > the error-exit codepath. > > > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > > --- > > linux-user/syscall.c | 17 +++++++++++++---- > > 1 file changed, 13 insertions(+), 4 deletions(-) > > > > diff --git a/linux-user/syscall.c b/linux-user/syscall.c > > index 3552295..721d7b1 100644 > > --- a/linux-user/syscall.c > > +++ b/linux-user/syscall.c > > @@ -11035,7 +11035,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > > goto efault; > > } > > > > - ep = alloca(maxevents * sizeof(struct epoll_event)); > > + ep = g_try_new(struct epoll_event, maxevents); > > + if (!ep) { > > + unlock_user(target_ep, arg2, 0); > > + ret = -TARGET_ENOMEM; > > + break; > > + } > > > > switch (num) { > > #if defined(TARGET_NR_epoll_pwait) > > @@ -11053,8 +11058,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > > target_set = lock_user(VERIFY_READ, arg5, > > sizeof(target_sigset_t), 1); > > if (!target_set) { > > - unlock_user(target_ep, arg2, 0); > > - goto efault; > > + ret = -TARGET_EFAULT; > > + break; > > } > > target_to_host_sigset(set, target_set); > > unlock_user(target_set, arg5, 0); > > @@ -11082,8 +11087,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > > target_ep[i].events = tswap32(ep[i].events); > > target_ep[i].data.u64 = tswap64(ep[i].data.u64); > > } > > + unlock_user(target_ep, arg2, > > + ret * sizeof(struct target_epoll_event)); > > + } else { > > + unlock_user(target_ep, arg2, 0); > > } > > - unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event)); > > + g_free(ep); > > break; > > } > > #endif > > -- > > 1.9.1
diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 3552295..721d7b1 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -11035,7 +11035,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, goto efault; } - ep = alloca(maxevents * sizeof(struct epoll_event)); + ep = g_try_new(struct epoll_event, maxevents); + if (!ep) { + unlock_user(target_ep, arg2, 0); + ret = -TARGET_ENOMEM; + break; + } switch (num) { #if defined(TARGET_NR_epoll_pwait) @@ -11053,8 +11058,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, target_set = lock_user(VERIFY_READ, arg5, sizeof(target_sigset_t), 1); if (!target_set) { - unlock_user(target_ep, arg2, 0); - goto efault; + ret = -TARGET_EFAULT; + break; } target_to_host_sigset(set, target_set); unlock_user(target_set, arg5, 0); @@ -11082,8 +11087,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, target_ep[i].events = tswap32(ep[i].events); target_ep[i].data.u64 = tswap64(ep[i].data.u64); } + unlock_user(target_ep, arg2, + ret * sizeof(struct target_epoll_event)); + } else { + unlock_user(target_ep, arg2, 0); } - unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event)); + g_free(ep); break; } #endif
The epoll event array which epoll_wait() allocates has a size determined by the guest which could potentially be quite large. Use g_try_new() rather than alloca() so that we can fail more cleanly if the guest hands us an oversize value. (ENOMEM is not a documented return value for epoll_wait() but in practice some kernel configurations can return it -- see for instance sys_oabi_epoll_wait() on ARM.) This rearrangement includes fixing a bug where we were incorrectly passing a negative length to unlock_user() in the error-exit codepath. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- linux-user/syscall.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-)