linux-user: Restrict usage of sa_restorer

Reading and writing to an sa_restorer member that isn't supposed to exist corrupts user memory. Introduce TARGET_ARCH_HAS_SA_RESTORER, similar to the kernel's __ARCH_HAS_SA_RESTORER. Reported-by: Helge Deller <deller@gmx.de> Signed-off-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
2017-10-31 13:53:52 +01:00 · 2017-10-31 13:53:52 +01:00 · 7f047de18c
commit 7f047de18c
parent b0fbe46ad8
2 changed files with 15 additions and 2 deletions
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@ -777,7 +777,7 @@ int do_sigaction(int sig, const struct target_sigaction *act,
    if (oact) {
        __put_user(k->_sa_handler, &oact->_sa_handler);
        __put_user(k->sa_flags, &oact->sa_flags);
-#if !defined(TARGET_MIPS)
+#ifdef TARGET_ARCH_HAS_SA_RESTORER
        __put_user(k->sa_restorer, &oact->sa_restorer);
 #endif
        /* Not swapped.  */
@ -787,7 +787,7 @@ int do_sigaction(int sig, const struct target_sigaction *act,
        /* FIXME: This is not threadsafe.  */
        __get_user(k->_sa_handler, &act->_sa_handler);
        __get_user(k->sa_flags, &act->sa_flags);
-#if !defined(TARGET_MIPS)
+#ifdef TARGET_ARCH_HAS_SA_RESTORER
        __get_user(k->sa_restorer, &act->sa_restorer);
 #endif
        /* To be swapped in target_to_host_sigset.  */
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@ -445,6 +445,7 @@ int do_sigaction(int sig, const struct target_sigaction *act,
 #define TARGET_SA_RESTART      2u
 #define TARGET_SA_NODEFER      0x20u
 #define TARGET_SA_RESETHAND    4u
+#define TARGET_ARCH_HAS_SA_RESTORER 1
 #elif defined(TARGET_MIPS)
 #define TARGET_SA_NOCLDSTOP	0x00000001
 #define TARGET_SA_NOCLDWAIT	0x00010000
@ -483,6 +484,10 @@ int do_sigaction(int sig, const struct target_sigaction *act,
 #define TARGET_SA_RESTORER	0x04000000
 #endif

+#ifdef TARGET_SA_RESTORER
+#define TARGET_ARCH_HAS_SA_RESTORER 1
+#endif
+
 #if defined(TARGET_ALPHA)

 #define TARGET_SIGHUP            1
@ -718,19 +723,27 @@ struct target_sigaction {
 	abi_ulong	_sa_handler;
 #endif
 	target_sigset_t	sa_mask;
+#ifdef TARGET_ARCH_HAS_SA_RESTORER
+        /* ??? This is always present, but ignored unless O32.  */
+        abi_ulong sa_restorer;
+#endif
 };
 #else
 struct target_old_sigaction {
        abi_ulong _sa_handler;
        abi_ulong sa_mask;
        abi_ulong sa_flags;
+#ifdef TARGET_ARCH_HAS_SA_RESTORER
        abi_ulong sa_restorer;
+#endif
 };

 struct target_sigaction {
        abi_ulong _sa_handler;
        abi_ulong sa_flags;
+#ifdef TARGET_ARCH_HAS_SA_RESTORER
        abi_ulong sa_restorer;
+#endif
        target_sigset_t sa_mask;
 };
 #endif