From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41953) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X4Z7J-0005Ep-HU for qemu-devel@nongnu.org; Tue, 08 Jul 2014 13:24:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1X4Z6P-00013w-K7 for qemu-devel@nongnu.org; Tue, 08 Jul 2014 13:23:45 -0400 Received: from e36.co.us.ibm.com ([32.97.110.154]:32983) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X4Z6P-00013f-5p for qemu-devel@nongnu.org; Tue, 08 Jul 2014 13:22:49 -0400 Received: from /spool/local by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 8 Jul 2014 11:22:48 -0600 From: Michael Roth Date: Tue, 8 Jul 2014 12:18:42 -0500 Message-Id: <1404839947-1086-132-git-send-email-mdroth@linux.vnet.ibm.com> In-Reply-To: <1404839947-1086-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1404839947-1086-1-git-send-email-mdroth@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH 131/156] linux-user: Don't overrun guest buffer in sched_getaffinity List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org From: Peter Maydell If the guest's "long" type is smaller than the host's, then our sched_getaffinity wrapper needs to round the buffer size up to a multiple of the host sizeof(long). This means that when we copy the data back from the host buffer to the guest's buffer there might be more than we can fit. Rather than overflowing the guest's buffer, handle this case by returning EINVAL or ignoring the unused extra space, as appropriate. Note that only guests using the syscall interface directly might run into this bug -- the glibc wrappers around it will always use a buffer whose size is a multiple of 8 regardless of guest architecture. Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio (cherry picked from commit be3bd286bc06bb68cdc71748d9dd4edcd57b2b24) Signed-off-by: Michael Roth --- linux-user/syscall.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 81f79f9..de8918d 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -7479,6 +7479,22 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, ret = get_errno(sys_sched_getaffinity(arg1, mask_size, mask)); if (!is_error(ret)) { + if (ret > arg2) { + /* More data returned than the caller's buffer will fit. + * This only happens if sizeof(abi_long) < sizeof(long) + * and the caller passed us a buffer holding an odd number + * of abi_longs. If the host kernel is actually using the + * extra 4 bytes then fail EINVAL; otherwise we can just + * ignore them and only copy the interesting part. + */ + int numcpus = sysconf(_SC_NPROCESSORS_CONF); + if (numcpus > arg2 * 8) { + ret = -TARGET_EINVAL; + break; + } + ret = arg2; + } + if (copy_to_user(arg3, mask, ret)) { goto efault; } -- 1.9.1