[1/2] linux-user: Check for bad event numbers in epoll_wait

Message ID	1468852560-9054-2-git-send-email-peter.maydell@linaro.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org> From: Peter Maydell <peter.maydell@linaro.org> To: qemu-devel@nongnu.org Date: Mon, 18 Jul 2016 15:35:59 +0100 Message-Id: <1468852560-9054-2-git-send-email-peter.maydell@linaro.org> In-Reply-To: <1468852560-9054-1-git-send-email-peter.maydell@linaro.org> References: <1468852560-9054-1-git-send-email-peter.maydell@linaro.org> Subject: [Qemu-devel] [PATCH 1/2] linux-user: Check for bad event numbers in epoll_wait Precedence: list Cc: Riku Voipio <riku.voipio@iki.fi>, patches@linaro.org Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>

Message ID

1468852560-9054-2-git-send-email-peter.maydell@linaro.org (mailing list archive)

State

New, archived

Headers

From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Date: Mon, 18 Jul 2016 15:35:59 +0100
Message-Id: <1468852560-9054-2-git-send-email-peter.maydell@linaro.org>
In-Reply-To: <1468852560-9054-1-git-send-email-peter.maydell@linaro.org>
References: <1468852560-9054-1-git-send-email-peter.maydell@linaro.org>
Subject: [Qemu-devel] [PATCH 1/2] linux-user: Check for bad event numbers in
	epoll_wait
Precedence: list
Cc: Riku Voipio <riku.voipio@iki.fi>, patches@linaro.org
Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>

Commit Message

Peter Maydell July 18, 2016, 2:35 p.m. UTC

The kernel checks that the maxevents parameter to epoll_wait
is non-negative and not larger than EP_MAX_EVENTS. Add this
check to our implementation, so that:
 * we fail these cases EINVAL rather than EFAULT
 * we don't pass negative or overflowing values to the
   lock_user() size calculation

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
This fixes an LTP epoll_wait03 test case that checks a
negative max_events argument.
---
 linux-user/syscall.c      | 5 +++++
 linux-user/syscall_defs.h | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index fe72abe..3552295 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -11024,6 +11024,11 @@  abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
         int maxevents = arg3;
         int timeout = arg4;
 
+        if (maxevents <= 0 || maxevents > TARGET_EP_MAX_EVENTS) {
+            ret = -TARGET_EINVAL;
+            break;
+        }
+
         target_ep = lock_user(VERIFY_WRITE, arg2,
                               maxevents * sizeof(struct target_epoll_event), 1);
         if (!target_ep) {
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index d9dea0e..dbf6a38 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2585,6 +2585,9 @@  struct target_epoll_event {
     abi_uint events;
     target_epoll_data_t data;
 } TARGET_EPOLL_PACKED;
+
+#define TARGET_EP_MAX_EVENTS (INT_MAX / sizeof(struct target_epoll_event))
+
 #endif
 struct target_rlimit64 {
     uint64_t rlim_cur;

[1/2] linux-user: Check for bad event numbers in epoll_wait

Commit Message

Patch