From patchwork Fri Aug 15 11:01:24 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Riku Voipio X-Patchwork-Id: 35428 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-pa0-f72.google.com (mail-pa0-f72.google.com [209.85.220.72]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id A96B5203C5 for ; Fri, 15 Aug 2014 11:03:12 +0000 (UTC) Received: by mail-pa0-f72.google.com with SMTP id eu11sf17922811pac.7 for ; Fri, 15 Aug 2014 04:03:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:date :message-id:in-reply-to:references:cc:subject:precedence:list-id :list-unsubscribe:list-archive:list-post:list-help:list-subscribe :errors-to:sender:x-original-sender :x-original-authentication-results:mailing-list; bh=719556e6l4hwD1Zweh5Rd4sjbCSF6Wle7UHJff6dhTc=; b=AEHBj1OOB5zPX2ZQ7pUzoluPfBYu+XuoNzhlfCLmjp0YsoS6Kb1Ympc8X99JePOu4p GMESiSwI7qx3kBVFthnyuUL52cUgKvpsGptGLpsuWYsz2X+MyvwN3qH4tefKzYZ62tnL YrWn8j4HWoJQgvu1MW8UOKDxap5sahxF986aifWXE8gT4mBzzwcT0jCocSSex4Fn1390 ro1f4AeVnj5pNFX6NLcVN7HWUWMwY0s0ScybHRq/t2HTxwqPprFxWvhJF9iLtnCS7S/n 5rQpaVhkvIqotS58kd30knJZhsUSXLUBoc4LCMSHObPd846ZENhTuJhLUlk2M6/wmqVh a5Yw== X-Gm-Message-State: ALoCoQk5vj9yXGcb0uw8dr/Tr8fRyb/HD0BdxgStZNM8bav/WhLA6Zpy9lfvcGiC67HCGE72YYn1 X-Received: by 10.69.31.75 with SMTP id kk11mr8919691pbd.8.1408100591896; Fri, 15 Aug 2014 04:03:11 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.30.8 with SMTP id c8ls1339125qgc.37.gmail; Fri, 15 Aug 2014 04:03:11 -0700 (PDT) X-Received: by 10.229.242.65 with SMTP id lh1mr26664895qcb.18.1408100591809; Fri, 15 Aug 2014 04:03:11 -0700 (PDT) Received: from mail-vc0-f170.google.com (mail-vc0-f170.google.com [209.85.220.170]) by mx.google.com with ESMTPS id d14si11314276qaa.105.2014.08.15.04.03.11 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 15 Aug 2014 04:03:11 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.170 as permitted sender) client-ip=209.85.220.170; Received: by mail-vc0-f170.google.com with SMTP id lf12so2771342vcb.29 for ; Fri, 15 Aug 2014 04:03:11 -0700 (PDT) X-Received: by 10.220.95.132 with SMTP id d4mr9716542vcn.33.1408100591588; Fri, 15 Aug 2014 04:03:11 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.221.37.5 with SMTP id tc5csp103974vcb; Fri, 15 Aug 2014 04:03:11 -0700 (PDT) X-Received: by 10.229.231.68 with SMTP id jp4mr26586276qcb.4.1408100590700; Fri, 15 Aug 2014 04:03:10 -0700 (PDT) Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id d7si11330259qam.62.2014.08.15.04.03.10 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 15 Aug 2014 04:03:10 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Received: from localhost ([::1]:58533 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XIFHq-00069t-9e for patch@linaro.org; Fri, 15 Aug 2014 07:03:10 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39381) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XIFGc-0004x4-7G for qemu-devel@nongnu.org; Fri, 15 Aug 2014 07:02:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XIFGU-00071a-G9 for qemu-devel@nongnu.org; Fri, 15 Aug 2014 07:01:54 -0400 Received: from [2001:4b98:dc0:45:216:3eff:fe3d:166f] (port=44490 helo=afflict.kos.to) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XIFGU-00071G-9d for qemu-devel@nongnu.org; Fri, 15 Aug 2014 07:01:46 -0400 Received: from afflict.kos.to (afflict [92.243.29.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by afflict.kos.to (Postfix) with ESMTPSA id 8F76026589; Fri, 15 Aug 2014 13:01:44 +0200 (CEST) From: riku.voipio@linaro.org To: qemu-devel@nongnu.org Date: Fri, 15 Aug 2014 14:01:24 +0300 Message-Id: X-Mailer: git-send-email 1.7.10.4 In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 2001:4b98:dc0:45:216:3eff:fe3d:166f Cc: Peter Maydell , Mike Frysinger Subject: [Qemu-devel] [PULL 06/24] linux-user: fix readlink handling with magic exe symlink X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: riku.voipio@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.170 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 From: Mike Frysinger The current code always returns the length of the path when it should be returning the number of bytes it wrote to the output string. Further, readlink is not supposed to append a NUL byte, but the current snprintf logic will always do just that. Even further, if you pass in a length of 0, you're suppoesd to get back an error (EINVAL), but the current logic just returns 0. Further still, if there was an error reading the symlink, we should not go ahead and try to read the target buffer as it is garbage. Simple test for the first two issues: $ cat test.c int main() { char buf[50]; size_t len; for (len = 0; len < 10; ++len) { memset(buf, '!', sizeof(buf)); ssize_t ret = readlink("/proc/self/exe", buf, len); buf[20] = '\0'; printf("readlink(/proc/self/exe, {%s}, %zu) = %zi\n", buf, len, ret); } return 0; } Now compare the output of the native: $ gcc test.c -o /tmp/x $ /tmp/x $ strace /tmp/x With what qemu does: $ armv7a-cros-linux-gnueabi-gcc test.c -o /tmp/x -static $ qemu-arm /tmp/x $ qemu-arm -strace /tmp/x Signed-off-by: Mike Frysinger Signed-off-by: Riku Voipio --- linux-user/syscall.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index fccf9f0..7c108ab 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -6636,11 +6636,22 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, p2 = lock_user(VERIFY_WRITE, arg2, arg3, 0); if (!p || !p2) { ret = -TARGET_EFAULT; + } else if (!arg3) { + /* Short circuit this for the magic exe check. */ + ret = -TARGET_EINVAL; } else if (is_proc_myself((const char *)p, "exe")) { char real[PATH_MAX], *temp; temp = realpath(exec_path, real); - ret = temp == NULL ? get_errno(-1) : strlen(real) ; - snprintf((char *)p2, arg3, "%s", real); + /* Return value is # of bytes that we wrote to the buffer. */ + if (temp == NULL) { + ret = get_errno(-1); + } else { + /* Don't worry about sign mismatch as earlier mapping + * logic would have thrown a bad address error. */ + ret = MIN(strlen(real), arg3); + /* We cannot NUL terminate the string. */ + memcpy(p2, real, ret); + } } else { ret = get_errno(readlink(path(p), p2, arg3)); }