From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59053)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <tommusta@gmail.com>) id 1XEMtN-0004Mf-Vl
	for qemu-devel@nongnu.org; Mon, 04 Aug 2014 14:21:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <tommusta@gmail.com>) id 1XEMtI-0000ob-9b
	for qemu-devel@nongnu.org; Mon, 04 Aug 2014 14:21:53 -0400
Message-ID: <53DFCF34.9050606@gmail.com>
Date: Mon, 04 Aug 2014 13:21:40 -0500
From: Tom Musta <tommusta@gmail.com>
MIME-Version: 1.0
References: <1407170739-12237-1-git-send-email-tommusta@gmail.com>
	<1407170739-12237-3-git-send-email-tommusta@gmail.com>
	<CAFEAcA8W1nK74YZzSq=ZDSmwv+5AyToBuYF7cAsKQeNVSkj8AQ@mail.gmail.com>
In-Reply-To: <CAFEAcA8W1nK74YZzSq=ZDSmwv+5AyToBuYF7cAsKQeNVSkj8AQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 02/12] linux-user: Dereference Pointer
 Argument to ipc/semctl Sys Call
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Riku Voipio <riku.voipio@linaro.org>, "qemu-ppc@nongnu.org" <qemu-ppc@nongnu.org>, QEMU Developers <qemu-devel@nongnu.org>, Alexander Graf <agraf@suse.de>

On 8/4/2014 12:04 PM, Peter Maydell wrote:
> On 4 August 2014 17:45, Tom Musta <tommusta@gmail.com> wrote:
>> When the ipc system call is used to wrap a semctl system call,
>> the ptr argument to ipc needs to be dereferenced prior to passing
>> it to the semctl handler.  This is because the fourth argument to
>> semctl is a union and not a pointer to a union.
>>
>> Signed-off-by: Tom Musta <tommusta@gmail.com>
>>
>> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
>> index 540001c..229c482 100644
>> --- a/linux-user/syscall.c
>> +++ b/linux-user/syscall.c
>> @@ -3135,9 +3135,15 @@ static abi_long do_ipc(unsigned int call, int first,
>>          ret = get_errno(semget(first, second, third));
>>          break;
>>
>> -    case IPCOP_semctl:
>> -        ret = do_semctl(first, second, third, (union target_semun)(abi_ulong) ptr);
>> +    case IPCOP_semctl: {
>> +        /* The semun argument to semctl is passed by value, so dereference the
>> +         * ptr argument. */
>> +        abi_ulong atptr;
>> +        get_user_ual(atptr, (abi_ulong)ptr);
>> +        ret = do_semctl(first, second, third,
>> +                (union target_semun)(abi_ulong) atptr);
> 
> My review comments on this patch from Paul Burton:
> http://patchwork.ozlabs.org/patch/363201/
> apply here too: the change here to use get_user_ual()
> looks plausible, except that do_semctl() writes to the
> target_su in some cases, so how is this supposed to
> pass the value back to the caller? Probably do_semctl()
> is buggy, but the whole thing needs to be scrutinized
> and fixed, not just this little corner...
> 
> thanks
> -- PMM
> 

Thanks for your review of these patches, Peter.

It appears that Paul never resolved your concerns and resubmitted his patch (?).
To be honest, I'm not sure yet that I yet see what has you concerned, but I
will attempt an end-to-end review of the semctl path. (QEMU, glibc, kernel)