diff options
| author | Peter Maydell | 2014-05-15 15:40:23 +0200 |
|---|---|---|
| committer | Riku Voipio | 2014-06-17 08:21:41 +0200 |
| commit | be3bd286bc06bb68cdc71748d9dd4edcd57b2b24 (patch) | |
| tree | 8003dc4f8cdfed7de229c5d2e2843d72698c3027 /linux-user/syscall.c | |
| parent | linux-user/uname: Return correct uname string for x86_64 (diff) | |
| download | qemu-be3bd286bc06bb68cdc71748d9dd4edcd57b2b24.tar.gz qemu-be3bd286bc06bb68cdc71748d9dd4edcd57b2b24.tar.xz qemu-be3bd286bc06bb68cdc71748d9dd4edcd57b2b24.zip | |
linux-user: Don't overrun guest buffer in sched_getaffinity
If the guest's "long" type is smaller than the host's, then
our sched_getaffinity wrapper needs to round the buffer size
up to a multiple of the host sizeof(long). This means that when
we copy the data back from the host buffer to the guest's
buffer there might be more than we can fit. Rather than
overflowing the guest's buffer, handle this case by returning
EINVAL or ignoring the unused extra space, as appropriate.
Note that only guests using the syscall interface directly might
run into this bug -- the glibc wrappers around it will always
use a buffer whose size is a multiple of 8 regardless of guest
architecture.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Diffstat (limited to 'linux-user/syscall.c')
| -rw-r--r-- | linux-user/syscall.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 6efeeff2bf..840ced1fda 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -7438,6 +7438,22 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, ret = get_errno(sys_sched_getaffinity(arg1, mask_size, mask)); if (!is_error(ret)) { + if (ret > arg2) { + /* More data returned than the caller's buffer will fit. + * This only happens if sizeof(abi_long) < sizeof(long) + * and the caller passed us a buffer holding an odd number + * of abi_longs. If the host kernel is actually using the + * extra 4 bytes then fail EINVAL; otherwise we can just + * ignore them and only copy the interesting part. + */ + int numcpus = sysconf(_SC_NPROCESSORS_CONF); + if (numcpus > arg2 * 8) { + ret = -TARGET_EINVAL; + break; + } + ret = arg2; + } + if (copy_to_user(arg3, mask, ret)) { goto efault; } |