[Qemu-devel] [PATCH 131/156] linux-user: Don't overrun guest buffer in s

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH 131/156] linux-user: Don't overrun guest buffer in s

From:	Michael Roth
Subject:	[Qemu-devel] [PATCH 131/156] linux-user: Don't overrun guest buffer in sched_getaffinity
Date:	Tue, 8 Jul 2014 12:18:42 -0500

From: Peter Maydell <address@hidden>

If the guest's "long" type is smaller than the host's, then
our sched_getaffinity wrapper needs to round the buffer size
up to a multiple of the host sizeof(long). This means that when
we copy the data back from the host buffer to the guest's
buffer there might be more than we can fit. Rather than
overflowing the guest's buffer, handle this case by returning
EINVAL or ignoring the unused extra space, as appropriate.

Note that only guests using the syscall interface directly might
run into this bug -- the glibc wrappers around it will always
use a buffer whose size is a multiple of 8 regardless of guest
architecture.

Signed-off-by: Peter Maydell <address@hidden>
Signed-off-by: Riku Voipio <address@hidden>
(cherry picked from commit be3bd286bc06bb68cdc71748d9dd4edcd57b2b24)
Signed-off-by: Michael Roth <address@hidden>
---
 linux-user/syscall.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 81f79f9..de8918d 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -7479,6 +7479,22 @@ abi_long do_syscall(void *cpu_env, int num, abi_long 
arg1,
             ret = get_errno(sys_sched_getaffinity(arg1, mask_size, mask));
 
             if (!is_error(ret)) {
+                if (ret > arg2) {
+                    /* More data returned than the caller's buffer will fit.
+                     * This only happens if sizeof(abi_long) < sizeof(long)
+                     * and the caller passed us a buffer holding an odd number
+                     * of abi_longs. If the host kernel is actually using the
+                     * extra 4 bytes then fail EINVAL; otherwise we can just
+                     * ignore them and only copy the interesting part.
+                     */
+                    int numcpus = sysconf(_SC_NPROCESSORS_CONF);
+                    if (numcpus > arg2 * 8) {
+                        ret = -TARGET_EINVAL;
+                        break;
+                    }
+                    ret = arg2;
+                }
+
                 if (copy_to_user(arg3, mask, ret)) {
                     goto efault;
                 }
-- 
1.9.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH 124/156] blockdev: Plug memory leak in blockdev_init(), (continued)
- [Qemu-devel] [PATCH 124/156] blockdev: Plug memory leak in blockdev_init(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 122/156] target-xtensa: fix cross-page jumps/calls at the end of TB, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 123/156] cputlb: Fix regression with TCG interpreter (bug 1310324), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 126/156] block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 129/156] block/sheepdog: Plug memory leak in sd_snapshot_create(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 127/156] block/vvfat: Plug memory leak in check_directory_consistency(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 125/156] blockdev: Plug memory leak in drive_init(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 128/156] block/vvfat: Plug memory leak in read_directory(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 130/156] qemu-img: Plug memory leak in convert command, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 133/156] target-arm: Fix errors in writes to generic timer control registers, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 131/156] linux-user: Don't overrun guest buffer in sched_getaffinity, Michael Roth <=
- [Qemu-devel] [PATCH 135/156] aio: fix qemu_bh_schedule() bh->ctx race condition, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 132/156] tcg-i386: Fix win64 qemu store, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 134/156] s390x/css: handle emw correctly for tsch, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 137/156] kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 136/156] kvmclock: Ensure time in migration never goes backward, Michael Roth, 2014/07/08
  - Re: [Qemu-devel] [PATCH 136/156] kvmclock: Ensure time in migration never goes backward, Paolo Bonzini, 2014/07/15
- [Qemu-devel] [PATCH 142/156] usb: Fix usb-bt-dongle initialization., Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 141/156] vhost: fix resource leak in error handling, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 145/156] target-i386: Filter FEAT_7_0_EBX TCG features too, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 139/156] rdma: bug fixes, Michael Roth, 2014/07/08

Prev by Date: [Qemu-devel] [PATCH 133/156] target-arm: Fix errors in writes to generic timer control registers
Next by Date: [Qemu-devel] [PATCH 135/156] aio: fix qemu_bh_schedule() bh->ctx race condition
Previous by thread: [Qemu-devel] [PATCH 133/156] target-arm: Fix errors in writes to generic timer control registers
Next by thread: [Qemu-devel] [PATCH 135/156] aio: fix qemu_bh_schedule() bh->ctx race condition
Index(es):
- Date
- Thread