From patchwork Thu Sep 22 12:13:27 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Riku Voipio <riku.voipio@linaro.org>
X-Patchwork-Id: 76761
Delivered-To: patch@linaro.org
Received: by 10.140.106.72 with SMTP id d66csp4273qgf;
 Thu, 22 Sep 2016 05:31:22 -0700 (PDT)
X-Received: by 10.55.212.76 with SMTP id l73mr1781833qki.257.1474547482077; 
 Thu, 22 Sep 2016 05:31:22 -0700 (PDT)
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11])
 by mx.google.com with ESMTPS id i14si983011qka.51.2016.09.22.05.31.22
 for <patch@linaro.org> (version=TLS1 cipher=AES128-SHA bits=128/128);
 Thu, 22 Sep 2016 05:31:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 client-ip=2001:4830:134:3::11; 
Authentication-Results: mx.google.com; dkim=fail header.i=@linaro.org;
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org; 
 dmarc=fail (p=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([::1]:43099 helo=lists.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <qemu-devel-bounces+patch=linaro.org@nongnu.org>)
 id 1bn39t-0005xf-IV
 for patch@linaro.org; Thu, 22 Sep 2016 08:31:21 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53097)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <riku.voipio@linaro.org>) id 1bn2uA-0008GE-JL
 for qemu-devel@nongnu.org; Thu, 22 Sep 2016 08:15:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <riku.voipio@linaro.org>) id 1bn2u5-0006PY-I3
 for qemu-devel@nongnu.org; Thu, 22 Sep 2016 08:15:05 -0400
Received: from mail-lf0-f53.google.com ([209.85.215.53]:36488)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <riku.voipio@linaro.org>) id 1bn2u5-0006PB-B6
 for qemu-devel@nongnu.org; Thu, 22 Sep 2016 08:15:01 -0400
Received: by mail-lf0-f53.google.com with SMTP id g62so65194961lfe.3
 for <qemu-devel@nongnu.org>; Thu, 22 Sep 2016 05:15:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=bT7MEE0qX/+oi/XqrheCS4bsQRb50VeR0aAMFZJzVa0=;
 b=C0BL9RLdJHm2DBwOZFfaetIy+MdkvgsfYGDa6SpDzVDnOKvixgwDjGU11L1iHcHk94
 Mx/7vcU4uRLR2z4iGlYuPB9lzYedH49nyObpnSmXhYhiYsekxEQV/9lnLBgxeQryaZPN
 F3mwtoijXaajQgH5Z7IFe5bd93eiFuvNsUdLE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=bT7MEE0qX/+oi/XqrheCS4bsQRb50VeR0aAMFZJzVa0=;
 b=N3lPBSk7irZ5+3O/zscXK+CT9kxMN+G8GwwhV2tzeyIXdyAXucc5017g0bDrsgO5Zw
 ANd04IFLRwe9nACHmAOyiZd5r+nrr4+rOJzZPfbh9MoTTWWuOuMmMatty6i5E/ok5+XC
 eAkEyI194RAwviGYjbMrbyjuGS/2s0oSrYC3NKvVP3wPOVv4glriTAzeRCts6frJArqS
 PLLRyFVsA+By8b+nzYspDDyQuGPLbhqWBmgYuUgWsGXJNB5ea9UuwbAKNT92s6/o1LpM
 uO1JrjyhetJrAy/DT8FD97SoVM0Fmym7bjf2ksxB6UgJBksA6ECjStnfleea42TvPVk3
 tKVw==
X-Gm-Message-State: AE9vXwPFK5/uogdirNs9mPy7HwJaaFgrwzQxxdfDUdGZcaVgWnc0WUUP6w0xfmc79B7N4mwV
X-Received: by 10.25.218.6 with SMTP id r6mr778214lfg.111.1474546440188;
 Thu, 22 Sep 2016 05:14:00 -0700 (PDT)
Received: from beaming.home (91-157-170-157.elisa-laajakaista.fi.
 [91.157.170.157]) by smtp.gmail.com with ESMTPSA id
 u14sm294378lja.11.2016.09.22.05.13.59
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Thu, 22 Sep 2016 05:13:59 -0700 (PDT)
From: riku.voipio@linaro.org
To: qemu-devel@nongnu.org
Date: Thu, 22 Sep 2016 15:13:27 +0300
Message-Id: <ce9c139d93db03e464341385976606b7568b768f.1474546244.git.riku.voipio@linaro.org>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <cover.1474546244.git.riku.voipio@linaro.org>
References: <cover.1474546244.git.riku.voipio@linaro.org>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 209.85.215.53
Subject: [Qemu-devel] [PULL 07/26] linux-user: Range check the nfds argument
 to ppoll syscall
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Peter Maydell <peter.maydell@linaro.org>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+patch=linaro.org@nongnu.org>

From: Peter Maydell <peter.maydell@linaro.org>

Do an initial range check on the ppoll syscall's nfds argument,
to avoid possible overflow in the calculation of the lock_user()
size argument. The host kernel will later apply the rather lower
limit based on RLIMIT_NOFILE as appropriate.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
---
 linux-user/syscall.c | 5 +++++
 1 file changed, 5 insertions(+)

-- 
2.1.4

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index eecccbb..7a50a57 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -9661,6 +9661,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
             pfd = NULL;
             target_pfd = NULL;
             if (nfds) {
+                if (nfds > (INT_MAX / sizeof(struct target_pollfd))) {
+                    ret = -TARGET_EINVAL;
+                    break;
+                }
+
                 target_pfd = lock_user(VERIFY_WRITE, arg1,
                                        sizeof(struct target_pollfd) * nfds, 1);
                 if (!target_pfd) {