[Qemu-devel] [V3 PATCH 02/13] linux-user: Dereference Pointer Argument to ipc/semctl Sys Call

[Tom Musta]

When the ipc system call is used to wrap a semctl system call,
the ptr argument to ipc needs to be dereferenced prior to passing
it to the semctl handler.  This is because the fourth argument to
semctl is a union and not a pointer to a union.

Signed-off-by: Tom Musta <address@hidden>
---
V2:  This is unchanged from V1.  I *did* review the QEMU, glibc and kernel code
looking for some problems but did not find anything.  I also did fairly 
comprehesive
testing of semctl on 4 targets (ppc-linux-user, ppc64-linux-user, 
ppc64le-linux-user,
x86_64-linux-user) on 3 different host platforms (x86-64 Ubuntu, PPC64 RHEL 6 
(BE) and
PPC64 Ubuntu 14.04 (LE)); this provided a broad coverage of co-endian and cross 
endian
situations.

 linux-user/syscall.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 540001c..229c482 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3135,9 +3135,15 @@ static abi_long do_ipc(unsigned int call, int first,
         ret = get_errno(semget(first, second, third));
         break;
 
-    case IPCOP_semctl:
-        ret = do_semctl(first, second, third, (union target_semun)(abi_ulong) 
ptr);
+    case IPCOP_semctl: {
+        /* The semun argument to semctl is passed by value, so dereference the
+         * ptr argument. */
+        abi_ulong atptr;
+        get_user_ual(atptr, (abi_ulong)ptr);
+        ret = do_semctl(first, second, third,
+                (union target_semun)(abi_ulong) atptr);
         break;
+    }
 
     case IPCOP_msgget:
         ret = get_errno(msgget(first, second));
-- 
1.7.1