From patchwork Tue Aug 19 08:32:40 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Riku Voipio X-Patchwork-Id: 35551 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-ie0-f199.google.com (mail-ie0-f199.google.com [209.85.223.199]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 076C22136C for ; Tue, 19 Aug 2014 08:34:43 +0000 (UTC) Received: by mail-ie0-f199.google.com with SMTP id tr6sf3387750ieb.2 for ; Tue, 19 Aug 2014 01:34:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:date :message-id:in-reply-to:references:cc:subject:precedence:list-id :list-unsubscribe:list-archive:list-post:list-help:list-subscribe :errors-to:sender:x-original-sender :x-original-authentication-results:mailing-list; bh=719556e6l4hwD1Zweh5Rd4sjbCSF6Wle7UHJff6dhTc=; b=TvhvXyISQ8H+yeS/q6BtbVmq1OUYEpnne4Qv7T4sfLxyMBcTHi+sreyylrwFQeg3LO zlPACN+Z73jEsMX4jkbQuYDquFep27d7bxF1jyMl3wkT4ad4AKkOjLdBSCh/E3aNsBGD dRWQkNQhaD9gDCljrwMtPscIJFJxCpr7AZKi6PbPOs2oSf906u39GZNqqXqABXsxsazf j088aoYzyIbn1OH5lDOt6pwSOh8PwrHKfn1sVRgFdqpn0j/0wyIaJBoxCEOrCIvivtOQ 7xmNRc0w25kYsIyBqNqrkZTJM+pKSX5vsi9vInFZRl1tD83k+NzjEE+1wPJh2tuHdSvJ 1u5w== X-Gm-Message-State: ALoCoQn/IJfoqMOOrOeVqWlZyYI16VhPEVgZ/ckNrTYRleC3h1yc3DoC3WjEyYzt78NnUIp2eeJl X-Received: by 10.42.83.5 with SMTP id f5mr20404402icl.27.1408437283561; Tue, 19 Aug 2014 01:34:43 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.29.137 with SMTP id b9ls2770378qgb.75.gmail; Tue, 19 Aug 2014 01:34:43 -0700 (PDT) X-Received: by 10.221.49.133 with SMTP id va5mr12438vcb.37.1408437283454; Tue, 19 Aug 2014 01:34:43 -0700 (PDT) Received: from mail-vc0-f178.google.com (mail-vc0-f178.google.com [209.85.220.178]) by mx.google.com with ESMTPS id sf9si8339396vcb.80.2014.08.19.01.34.43 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 19 Aug 2014 01:34:43 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.178 as permitted sender) client-ip=209.85.220.178; Received: by mail-vc0-f178.google.com with SMTP id la4so7162072vcb.9 for ; Tue, 19 Aug 2014 01:34:43 -0700 (PDT) X-Received: by 10.220.174.137 with SMTP id t9mr29128463vcz.12.1408437283368; Tue, 19 Aug 2014 01:34:43 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.221.37.5 with SMTP id tc5csp220211vcb; Tue, 19 Aug 2014 01:34:42 -0700 (PDT) X-Received: by 10.229.219.138 with SMTP id hu10mr42165661qcb.5.1408437281990; Tue, 19 Aug 2014 01:34:41 -0700 (PDT) Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id s59si27999773qge.98.2014.08.19.01.34.41 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 19 Aug 2014 01:34:41 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Received: from localhost ([::1]:49068 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XJesL-0002os-G3 for patch@linaro.org; Tue, 19 Aug 2014 04:34:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57275) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XJeqp-0000uf-Gx for qemu-devel@nongnu.org; Tue, 19 Aug 2014 04:33:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XJeql-0001Yh-1E for qemu-devel@nongnu.org; Tue, 19 Aug 2014 04:33:07 -0400 Received: from afflict.kos.to ([92.243.29.197]:35150) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XJeqk-0001YP-SB for qemu-devel@nongnu.org; Tue, 19 Aug 2014 04:33:02 -0400 Received: from afflict.kos.to (afflict [92.243.29.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by afflict.kos.to (Postfix) with ESMTPSA id 8800526589; Tue, 19 Aug 2014 10:33:01 +0200 (CEST) From: riku.voipio@linaro.org To: Peter Maydell , qemu-devel@nongnu.org Date: Tue, 19 Aug 2014 11:32:40 +0300 Message-Id: <608f31b38530360ac0b74ec4a46da50e2b5bccb9.1408436940.git.riku.voipio@linaro.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 92.243.29.197 Cc: Mike Frysinger Subject: [Qemu-devel] [PULL v2 05/23] linux-user: fix readlink handling with magic exe symlink X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: riku.voipio@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.178 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 From: Mike Frysinger The current code always returns the length of the path when it should be returning the number of bytes it wrote to the output string. Further, readlink is not supposed to append a NUL byte, but the current snprintf logic will always do just that. Even further, if you pass in a length of 0, you're suppoesd to get back an error (EINVAL), but the current logic just returns 0. Further still, if there was an error reading the symlink, we should not go ahead and try to read the target buffer as it is garbage. Simple test for the first two issues: $ cat test.c int main() { char buf[50]; size_t len; for (len = 0; len < 10; ++len) { memset(buf, '!', sizeof(buf)); ssize_t ret = readlink("/proc/self/exe", buf, len); buf[20] = '\0'; printf("readlink(/proc/self/exe, {%s}, %zu) = %zi\n", buf, len, ret); } return 0; } Now compare the output of the native: $ gcc test.c -o /tmp/x $ /tmp/x $ strace /tmp/x With what qemu does: $ armv7a-cros-linux-gnueabi-gcc test.c -o /tmp/x -static $ qemu-arm /tmp/x $ qemu-arm -strace /tmp/x Signed-off-by: Mike Frysinger Signed-off-by: Riku Voipio --- linux-user/syscall.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index fccf9f0..7c108ab 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -6636,11 +6636,22 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, p2 = lock_user(VERIFY_WRITE, arg2, arg3, 0); if (!p || !p2) { ret = -TARGET_EFAULT; + } else if (!arg3) { + /* Short circuit this for the magic exe check. */ + ret = -TARGET_EINVAL; } else if (is_proc_myself((const char *)p, "exe")) { char real[PATH_MAX], *temp; temp = realpath(exec_path, real); - ret = temp == NULL ? get_errno(-1) : strlen(real) ; - snprintf((char *)p2, arg3, "%s", real); + /* Return value is # of bytes that we wrote to the buffer. */ + if (temp == NULL) { + ret = get_errno(-1); + } else { + /* Don't worry about sign mismatch as earlier mapping + * logic would have thrown a bad address error. */ + ret = MIN(strlen(real), arg3); + /* We cannot NUL terminate the string. */ + memcpy(p2, real, ret); + } } else { ret = get_errno(readlink(path(p), p2, arg3)); }