From patchwork Tue Aug 12 13:42:16 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Riku Voipio X-Patchwork-Id: 35262 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-oi0-f72.google.com (mail-oi0-f72.google.com [209.85.218.72]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 0B4B220540 for ; Tue, 12 Aug 2014 13:46:26 +0000 (UTC) Received: by mail-oi0-f72.google.com with SMTP id a141sf39722135oig.3 for ; Tue, 12 Aug 2014 06:46:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:date :message-id:in-reply-to:references:cc:subject:precedence:list-id :list-unsubscribe:list-archive:list-post:list-help:list-subscribe :errors-to:sender:x-original-sender :x-original-authentication-results:mailing-list; bh=719556e6l4hwD1Zweh5Rd4sjbCSF6Wle7UHJff6dhTc=; b=kKmY/e6vZ7bI/6P9t8LFszuPZkOgx1d7MxkUMPGYVpb7gkNWn5p/9vIQuSAYqHdJ2y wfVSxyPjEuKZGAygnMmcxEXAQ3zIomB/R+0JNndg+OhmbV1W4Ux3eCgoY0UiuqJL8dFU cZUM/KWYJYdSygOLu0FnC1mxcv88E5xlFooRjfSrTAmRt93Xq/6cl0BxiaGqVaWv+gNc t50xRORnX7syJxyC0GtdvC0cO6JoExu7RgNiTQdPeY0uP7PwpQkIkIgselBjqq1X5iot RLLGVxhV+Ge/472zDVbv30FTOH5WOhRCTma3zJcZHPmB0+mWSv+OUFwgQfrYakZwGwGv 3zWA== X-Gm-Message-State: ALoCoQmTc2BkGvWGW1/yK+j/pE1w7x3WoQNMCN7ErZbMqdpf/WxYDQcEy1us/efbtLUG5pPpGwWm X-Received: by 10.182.213.105 with SMTP id nr9mr2454101obc.36.1407851185660; Tue, 12 Aug 2014 06:46:25 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.25.80 with SMTP id 74ls126674qgs.63.gmail; Tue, 12 Aug 2014 06:46:25 -0700 (PDT) X-Received: by 10.220.105.201 with SMTP id u9mr3920137vco.11.1407851185546; Tue, 12 Aug 2014 06:46:25 -0700 (PDT) Received: from mail-vc0-f169.google.com (mail-vc0-f169.google.com [209.85.220.169]) by mx.google.com with ESMTPS id ji10si5764858vdb.3.2014.08.12.06.46.25 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 12 Aug 2014 06:46:25 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.169 as permitted sender) client-ip=209.85.220.169; Received: by mail-vc0-f169.google.com with SMTP id le20so13472872vcb.28 for ; Tue, 12 Aug 2014 06:46:25 -0700 (PDT) X-Received: by 10.52.73.202 with SMTP id n10mr556504vdv.86.1407851185475; Tue, 12 Aug 2014 06:46:25 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.221.37.5 with SMTP id tc5csp250227vcb; Tue, 12 Aug 2014 06:46:24 -0700 (PDT) X-Received: by 10.229.68.131 with SMTP id v3mr6847487qci.10.1407851184426; Tue, 12 Aug 2014 06:46:24 -0700 (PDT) Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id 8si25752318qgz.7.2014.08.12.06.46.24 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 12 Aug 2014 06:46:24 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Received: from localhost ([::1]:42124 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XHCP9-0004qc-Ut for patch@linaro.org; Tue, 12 Aug 2014 09:46:23 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41283) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XHCLN-0007TO-UV for qemu-devel@nongnu.org; Tue, 12 Aug 2014 09:42:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XHCLH-00019W-I9 for qemu-devel@nongnu.org; Tue, 12 Aug 2014 09:42:29 -0400 Received: from afflict.kos.to ([92.243.29.197]:55500) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XHCLH-00018W-CA for qemu-devel@nongnu.org; Tue, 12 Aug 2014 09:42:23 -0400 Received: from afflict.kos.to (afflict [92.243.29.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by afflict.kos.to (Postfix) with ESMTPSA id 99E5526587; Tue, 12 Aug 2014 15:42:21 +0200 (CEST) From: riku.voipio@linaro.org To: qemu-devel@nongnu.org Date: Tue, 12 Aug 2014 16:42:16 +0300 Message-Id: X-Mailer: git-send-email 1.7.10.4 In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 92.243.29.197 Cc: Mike Frysinger Subject: [Qemu-devel] [PATCH 06/10] linux-user: fix readlink handling with magic exe symlink X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: riku.voipio@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.169 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 From: Mike Frysinger The current code always returns the length of the path when it should be returning the number of bytes it wrote to the output string. Further, readlink is not supposed to append a NUL byte, but the current snprintf logic will always do just that. Even further, if you pass in a length of 0, you're suppoesd to get back an error (EINVAL), but the current logic just returns 0. Further still, if there was an error reading the symlink, we should not go ahead and try to read the target buffer as it is garbage. Simple test for the first two issues: $ cat test.c int main() { char buf[50]; size_t len; for (len = 0; len < 10; ++len) { memset(buf, '!', sizeof(buf)); ssize_t ret = readlink("/proc/self/exe", buf, len); buf[20] = '\0'; printf("readlink(/proc/self/exe, {%s}, %zu) = %zi\n", buf, len, ret); } return 0; } Now compare the output of the native: $ gcc test.c -o /tmp/x $ /tmp/x $ strace /tmp/x With what qemu does: $ armv7a-cros-linux-gnueabi-gcc test.c -o /tmp/x -static $ qemu-arm /tmp/x $ qemu-arm -strace /tmp/x Signed-off-by: Mike Frysinger Signed-off-by: Riku Voipio --- linux-user/syscall.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index fccf9f0..7c108ab 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -6636,11 +6636,22 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, p2 = lock_user(VERIFY_WRITE, arg2, arg3, 0); if (!p || !p2) { ret = -TARGET_EFAULT; + } else if (!arg3) { + /* Short circuit this for the magic exe check. */ + ret = -TARGET_EINVAL; } else if (is_proc_myself((const char *)p, "exe")) { char real[PATH_MAX], *temp; temp = realpath(exec_path, real); - ret = temp == NULL ? get_errno(-1) : strlen(real) ; - snprintf((char *)p2, arg3, "%s", real); + /* Return value is # of bytes that we wrote to the buffer. */ + if (temp == NULL) { + ret = get_errno(-1); + } else { + /* Don't worry about sign mismatch as earlier mapping + * logic would have thrown a bad address error. */ + ret = MIN(strlen(real), arg3); + /* We cannot NUL terminate the string. */ + memcpy(p2, real, ret); + } } else { ret = get_errno(readlink(path(p), p2, arg3)); }