[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH] linux-user: Range check the nfds argument to ppoll
From: |
Peter Maydell |
Subject: |
[Qemu-devel] [PATCH] linux-user: Range check the nfds argument to ppoll syscall |
Date: |
Mon, 18 Jul 2016 16:30:36 +0100 |
Do an initial range check on the ppoll syscall's nfds argument,
to avoid possible overflow in the calculation of the lock_user()
size argument. The host kernel will later apply the rather lower
limit based on RLIMIT_NOFILE as appropriate.
Signed-off-by: Peter Maydell <address@hidden>
---
This fixes an LTP test case which passes -1 for nfds.
The test is kind of bogus in that it should ideally
pass a valid-but-over-the-rlimit nfds for this corner
case rather than assuming EINVAL is checked before
EFAULT, but in any case QEMU should protect itself
against the overflow.
---
linux-user/syscall.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 721d7b1..4da7822 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -9180,6 +9180,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
arg1,
pfd = NULL;
target_pfd = NULL;
if (nfds) {
+ if (nfds > (INT_MAX / sizeof(struct target_pollfd))) {
+ ret = -TARGET_EINVAL;
+ break;
+ }
+
target_pfd = lock_user(VERIFY_WRITE, arg1,
sizeof(struct target_pollfd) * nfds, 1);
if (!target_pfd) {
--
1.9.1
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] [PATCH] linux-user: Range check the nfds argument to ppoll syscall,
Peter Maydell <=