From patchwork Tue Jun 17 14:56:58 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Riku Voipio X-Patchwork-Id: 32044 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-qc0-f200.google.com (mail-qc0-f200.google.com [209.85.216.200]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id D02E9206A0 for ; Tue, 17 Jun 2014 15:04:55 +0000 (UTC) Received: by mail-qc0-f200.google.com with SMTP id o8sf26188251qcw.7 for ; Tue, 17 Jun 2014 08:04:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:date :message-id:in-reply-to:references:in-reply-to:references:cc:subject :precedence:list-id:list-unsubscribe:list-archive:list-post :list-help:list-subscribe:errors-to:sender:x-original-sender :x-original-authentication-results:mailing-list; bh=ZKb++qkORpXfwmOzoxYT2SPPDzJZ4+byRnYsX9FEgkc=; b=h5YMnWgjG8I2rvbBfcKAIDc2PQ8avI9SbjP9mMx8TxnaG+jDLgKj+TTxSLkIwydyNC sacpmzI1KdIqJE13UCgUXYxobk3XUTlzZcXg1B9NJMJKYK02jHy5ZpadYFWxi3ynanD1 KQf5MLeBNOXlI92e6RxJ0MYOXLU4LtX/XqXZd2H+ws4LboPg47Pqt4+G4hCzkuBZEZp4 X6mvKjw2wzIsBiVO6wMCwIoSwA49SYNfXYW25q6R73cQWXU2rx2kI1wvlBXg4FjdKX3m 1gaJweFgYdS2fXRRezfmdOQrHgiKaNLs2MD1Oa+QUJh1irNEPtaK8z/jjUEiS0garbFK mbng== X-Gm-Message-State: ALoCoQlzB4fSux/UmKglSGbdVaswUchhN8BXyaVSuH7vWWMFmk8jGQvgF+yRc61aBmra0moeSsIp X-Received: by 10.236.228.98 with SMTP id e92mr894008yhq.58.1403017495681; Tue, 17 Jun 2014 08:04:55 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.38.111 with SMTP id s102ls3373306qgs.20.gmail; Tue, 17 Jun 2014 08:04:55 -0700 (PDT) X-Received: by 10.52.232.133 with SMTP id to5mr18765567vdc.16.1403017495605; Tue, 17 Jun 2014 08:04:55 -0700 (PDT) Received: from mail-ve0-f181.google.com (mail-ve0-f181.google.com [209.85.128.181]) by mx.google.com with ESMTPS id ef2si5566455vdc.41.2014.06.17.08.04.55 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Jun 2014 08:04:55 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.128.181 as permitted sender) client-ip=209.85.128.181; Received: by mail-ve0-f181.google.com with SMTP id db11so7548585veb.26 for ; Tue, 17 Jun 2014 08:04:55 -0700 (PDT) X-Received: by 10.220.15.8 with SMTP id i8mr865885vca.45.1403017495529; Tue, 17 Jun 2014 08:04:55 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.221.54.6 with SMTP id vs6csp216248vcb; Tue, 17 Jun 2014 08:04:55 -0700 (PDT) X-Received: by 10.140.19.21 with SMTP id 21mr35302760qgg.76.1403017494999; Tue, 17 Jun 2014 08:04:54 -0700 (PDT) Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id i4si14122132qge.31.2014.06.17.08.04.54 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 17 Jun 2014 08:04:54 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Received: from localhost ([::1]:51222 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WwuwQ-0008M0-Jq for patch@linaro.org; Tue, 17 Jun 2014 11:04:54 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44004) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Wwuoz-0005hb-Q2 for qemu-devel@nongnu.org; Tue, 17 Jun 2014 10:57:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Wwuos-0004RA-Jy for qemu-devel@nongnu.org; Tue, 17 Jun 2014 10:57:13 -0400 Received: from afflict.kos.to ([92.243.29.197]:46260) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Wwuos-0004QG-D8 for qemu-devel@nongnu.org; Tue, 17 Jun 2014 10:57:06 -0400 Received: from afflict.kos.to (afflict [92.243.29.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by afflict.kos.to (Postfix) with ESMTPSA id E48CD2658A; Tue, 17 Jun 2014 16:57:03 +0200 (CEST) From: riku.voipio@linaro.org To: qemu-devel@nongnu.org Date: Tue, 17 Jun 2014 17:56:58 +0300 Message-Id: X-Mailer: git-send-email 1.7.10.4 In-Reply-To: References: In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 92.243.29.197 Cc: peter.maydell@linaro.org Subject: [Qemu-devel] [PULL v2 15/17] linux-user: Don't overrun guest buffer in sched_getaffinity X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: riku.voipio@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.128.181 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 From: Peter Maydell If the guest's "long" type is smaller than the host's, then our sched_getaffinity wrapper needs to round the buffer size up to a multiple of the host sizeof(long). This means that when we copy the data back from the host buffer to the guest's buffer there might be more than we can fit. Rather than overflowing the guest's buffer, handle this case by returning EINVAL or ignoring the unused extra space, as appropriate. Note that only guests using the syscall interface directly might run into this bug -- the glibc wrappers around it will always use a buffer whose size is a multiple of 8 regardless of guest architecture. Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/syscall.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 6efeeff..840ced1 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -7438,6 +7438,22 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, ret = get_errno(sys_sched_getaffinity(arg1, mask_size, mask)); if (!is_error(ret)) { + if (ret > arg2) { + /* More data returned than the caller's buffer will fit. + * This only happens if sizeof(abi_long) < sizeof(long) + * and the caller passed us a buffer holding an odd number + * of abi_longs. If the host kernel is actually using the + * extra 4 bytes then fail EINVAL; otherwise we can just + * ignore them and only copy the interesting part. + */ + int numcpus = sysconf(_SC_NPROCESSORS_CONF); + if (numcpus > arg2 * 8) { + ret = -TARGET_EINVAL; + break; + } + ret = arg2; + } + if (copy_to_user(arg3, mask, ret)) { goto efault; }