[Qemu-devel] [PATCH 0/2] linux-user: fix some msgrcv edge cases

[Qemu-devel] [PATCH 0/2] linux-user: fix some msgrcv edge cases

[Peter Maydell]

These patches fix a couple of issues with handling edge cases
in our linux-user msgrcv implementation:
 * we weren't dealing with negative msgsz correctly (should fail EINVAL)
 * we were using g_malloc() rather than g_try_malloc() for an allocatino
   whose size is controlled by the guest

(Both these were already handled correctly for msgsnd.)

This fixes a hang in the Linux Test Project msgrcv03 test case.

Peter Maydell (2):
  linux-user: Handle msgrcv error case correctly
  linux-user: Use g_try_malloc() in do_msgrcv()

 linux-user/syscall.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

-- 
1.9.1

[Qemu-devel] [PATCH 1/2] linux-user: Handle msgrcv error case correctly

[Peter Maydell]

The msgrcv ABI is a bit odd -- the msgsz argument is a size_t, which is
unsigned, but it must fail EINVAL if the value is negative when cast
to a long. We were incorrectly passing the value through an
"unsigned int", which meant that if the guest was 32-bit longs and
the host was 64-bit longs an input of 0xffffffff (which should trigger
EINVAL) would simply be passed to the host msgrcv() as 0xffffffff,
where it does not cause the host kernel to reject it.
Follow the same approach as do_msgsnd() in using a ssize_t and
doing the check for negative values by hand, so we correctly fail
in this corner case.

This fixes the msgrcv03 Linux Test Project test case, which otherwise
hangs.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/syscall.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 032d338..0becbe4 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3095,7 +3095,7 @@ static inline abi_long do_msgsnd(int msqid, abi_long msgp,
 }
 
 static inline abi_long do_msgrcv(int msqid, abi_long msgp,
-                                 unsigned int msgsz, abi_long msgtyp,
+                                 ssize_t msgsz, abi_long msgtyp,
                                  int msgflg)
 {
     struct target_msgbuf *target_mb;
@@ -3103,6 +3103,10 @@ static inline abi_long do_msgrcv(int msqid, abi_long msgp,
     struct msgbuf *host_mb;
     abi_long ret = 0;
 
+    if (msgsz < 0) {
+        return -TARGET_EINVAL;
+    }
+
     if (!lock_user_struct(VERIFY_WRITE, target_mb, msgp, 0))
         return -TARGET_EFAULT;
 
-- 
1.9.1

[Qemu-devel] [PATCH 2/2] linux-user: Use g_try_malloc() in do_msgrcv()

[Peter Maydell]

In do_msgrcv() we want to allocate a message buffer, whose size
is passed to us by the guest. That means we could legitimately
fail, so use g_try_malloc() and handle the error case, in the same
way that do_msgsnd() does.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/syscall.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 0becbe4..ae81473 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3110,7 +3110,11 @@ static inline abi_long do_msgrcv(int msqid, abi_long msgp,
     if (!lock_user_struct(VERIFY_WRITE, target_mb, msgp, 0))
         return -TARGET_EFAULT;
 
-    host_mb = g_malloc(msgsz+sizeof(long));
+    host_mb = g_try_malloc(msgsz + sizeof(long));
+    if (!host_mb) {
+        ret = -TARGET_ENOMEM;
+        goto end;
+    }
     ret = get_errno(msgrcv(msqid, host_mb, msgsz, msgtyp, msgflg));
 
     if (ret > 0) {
-- 
1.9.1