From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Cc: Laurent Vivier <laurent@vivier.eu>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [PATCH] linux-user: permit sendto() with NULL buf and 0 len
Date: Tue, 28 Oct 2025 14:20:01 +0000 [thread overview]
Message-ID: <20251028142001.3011630-1-peter.maydell@linaro.org> (raw)
If you pass sendto() a NULL buffer, this is usually an error
(causing an EFAULT return); however if you pass a 0 length then
we should not try to validate the buffer provided. Instead we
skip the copying of the user data and possible processing
through fd_trans_target_to_host_data, and call the host syscall
with NULL, 0.
(unlock_user() permits a NULL buffer pointer for "do nothing"
so we don't need to special case the unlock code.)
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3102
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
linux-user/syscall.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 8546f48a05b..2060e561a20 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3581,7 +3581,7 @@ static abi_long do_sendto(int fd, abi_ulong msg, size_t len, int flags,
abi_ulong target_addr, socklen_t addrlen)
{
void *addr;
- void *host_msg;
+ void *host_msg = NULL;
void *copy_msg = NULL;
abi_long ret;
@@ -3589,16 +3589,19 @@ static abi_long do_sendto(int fd, abi_ulong msg, size_t len, int flags,
return -TARGET_EINVAL;
}
- host_msg = lock_user(VERIFY_READ, msg, len, 1);
- if (!host_msg)
- return -TARGET_EFAULT;
- if (fd_trans_target_to_host_data(fd)) {
- copy_msg = host_msg;
- host_msg = g_malloc(len);
- memcpy(host_msg, copy_msg, len);
- ret = fd_trans_target_to_host_data(fd)(host_msg, len);
- if (ret < 0) {
- goto fail;
+ if (len != 0) {
+ host_msg = lock_user(VERIFY_READ, msg, len, 1);
+ if (!host_msg) {
+ return -TARGET_EFAULT;
+ }
+ if (fd_trans_target_to_host_data(fd)) {
+ copy_msg = host_msg;
+ host_msg = g_malloc(len);
+ memcpy(host_msg, copy_msg, len);
+ ret = fd_trans_target_to_host_data(fd)(host_msg, len);
+ if (ret < 0) {
+ goto fail;
+ }
}
}
if (target_addr) {
--
2.43.0
next reply other threads:[~2025-10-28 14:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-28 14:20 Peter Maydell [this message]
2025-10-28 15:42 ` [PATCH] linux-user: permit sendto() with NULL buf and 0 len Philippe Mathieu-Daudé
2025-10-28 15:44 ` Michael Tokarev
2025-10-31 11:12 ` Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251028142001.3011630-1-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=laurent@vivier.eu \
--cc=mjt@tls.msk.ru \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).