SYS-OSS/FRET-qemu
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

linux-user: Check for bad event numbers in epoll_wait

Browse Source 
The kernel checks that the maxevents parameter to epoll_wait
is non-negative and not larger than EP_MAX_EVENTS. Add this
check to our implementation, so that:
 * we fail these cases EINVAL rather than EFAULT
 * we don't pass negative or overflowing values to the
   lock_user() size calculation

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
This commit is contained in:
Peter Maydell 2016-07-18 15:35:59 +01:00 committed by Riku Voipio
parent 700fa58e4b
commit 2ba7fae3bd
2 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
linux-user/syscall.c
View File

@ -11501,6 +11501,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
int maxevents = arg3; int maxevents = arg3;
int timeout = arg4; int timeout = arg4;
if (maxevents <= 0 || maxevents > TARGET_EP_MAX_EVENTS) {
ret = -TARGET_EINVAL;
break;
}
target_ep = lock_user(VERIFY_WRITE, arg2, target_ep = lock_user(VERIFY_WRITE, arg2,
maxevents * sizeof(struct target_epoll_event), 1); maxevents * sizeof(struct target_epoll_event), 1);
if (!target_ep) { if (!target_ep) {

3
linux-user/syscall_defs.h
View File

@ -2585,6 +2585,9 @@ struct target_epoll_event {
abi_uint events; abi_uint events;
target_epoll_data_t data; target_epoll_data_t data;
} TARGET_EPOLL_PACKED; } TARGET_EPOLL_PACKED;
#define TARGET_EP_MAX_EVENTS (INT_MAX / sizeof(struct target_epoll_event))
#endif #endif
struct target_rlimit64 { struct target_rlimit64 {
uint64_t rlim_cur; uint64_t rlim_cur;