| Message ID | 1467902683-12904-1-git-send-email-peter.maydell@linaro.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, Jul 07, 2016 at 03:44:43PM +0100, Peter Maydell wrote: > If userspace specifies a short buffer for a target sockaddr, > the kernel will only copy in as much as it has space for > (or none at all if the length is zero) -- see the kernel > move_addr_to_user() function. Mimic this in QEMU's > host_to_target_sockaddr() routine. > > In particular, this fixes a segfault running the LTP > recvfrom01 test, where the guest makes a recvfrom() > call with a bad buffer pointer and other parameters which > cause the kernel to set the addrlen to zero; because we > did not skip the attempt to swap the sa_family field we > segfaulted on the bad address. > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> All your patches up to this one applied to linux-user, thanks! Riku > --- > linux-user/syscall.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/linux-user/syscall.c b/linux-user/syscall.c > index 165fd06..6e77d34 100644 > --- a/linux-user/syscall.c > +++ b/linux-user/syscall.c > @@ -1374,12 +1374,19 @@ static inline abi_long host_to_target_sockaddr(abi_ulong target_addr, > { > struct target_sockaddr *target_saddr; > > + if (len == 0) { > + return 0; > + } > + > target_saddr = lock_user(VERIFY_WRITE, target_addr, len, 0); > if (!target_saddr) > return -TARGET_EFAULT; > memcpy(target_saddr, addr, len); > - target_saddr->sa_family = tswap16(addr->sa_family); > - if (addr->sa_family == AF_NETLINK) { > + if (len >= offsetof(struct target_sockaddr, sa_family) + > + sizeof(target_saddr->sa_family)) { > + target_saddr->sa_family = tswap16(addr->sa_family); > + } > + if (addr->sa_family == AF_NETLINK && len >= sizeof(struct sockaddr_nl)) { > struct sockaddr_nl *target_nl = (struct sockaddr_nl *)target_saddr; > target_nl->nl_pid = tswap32(target_nl->nl_pid); > target_nl->nl_groups = tswap32(target_nl->nl_groups); > -- > 1.9.1 >
diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 165fd06..6e77d34 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -1374,12 +1374,19 @@ static inline abi_long host_to_target_sockaddr(abi_ulong target_addr, { struct target_sockaddr *target_saddr; + if (len == 0) { + return 0; + } + target_saddr = lock_user(VERIFY_WRITE, target_addr, len, 0); if (!target_saddr) return -TARGET_EFAULT; memcpy(target_saddr, addr, len); - target_saddr->sa_family = tswap16(addr->sa_family); - if (addr->sa_family == AF_NETLINK) { + if (len >= offsetof(struct target_sockaddr, sa_family) + + sizeof(target_saddr->sa_family)) { + target_saddr->sa_family = tswap16(addr->sa_family); + } + if (addr->sa_family == AF_NETLINK && len >= sizeof(struct sockaddr_nl)) { struct sockaddr_nl *target_nl = (struct sockaddr_nl *)target_saddr; target_nl->nl_pid = tswap32(target_nl->nl_pid); target_nl->nl_groups = tswap32(target_nl->nl_groups);
If userspace specifies a short buffer for a target sockaddr, the kernel will only copy in as much as it has space for (or none at all if the length is zero) -- see the kernel move_addr_to_user() function. Mimic this in QEMU's host_to_target_sockaddr() routine. In particular, this fixes a segfault running the LTP recvfrom01 test, where the guest makes a recvfrom() call with a bad buffer pointer and other parameters which cause the kernel to set the addrlen to zero; because we did not skip the attempt to swap the sa_family field we segfaulted on the bad address. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- linux-user/syscall.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)