| Message ID | 1468855836-11964-1-git-send-email-peter.maydell@linaro.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 721d7b1..4da7822 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -9180,6 +9180,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, pfd = NULL; target_pfd = NULL; if (nfds) { + if (nfds > (INT_MAX / sizeof(struct target_pollfd))) { + ret = -TARGET_EINVAL; + break; + } + target_pfd = lock_user(VERIFY_WRITE, arg1, sizeof(struct target_pollfd) * nfds, 1); if (!target_pfd) {
Do an initial range check on the ppoll syscall's nfds argument, to avoid possible overflow in the calculation of the lock_user() size argument. The host kernel will later apply the rather lower limit based on RLIMIT_NOFILE as appropriate. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- This fixes an LTP test case which passes -1 for nfds. The test is kind of bogus in that it should ideally pass a valid-but-over-the-rlimit nfds for this corner case rather than assuming EINVAL is checked before EFAULT, but in any case QEMU should protect itself against the overflow. --- linux-user/syscall.c | 5 +++++ 1 file changed, 5 insertions(+)