From: riku.voipio@iki.fi
To: qemu-devel@nongnu.org
Cc: Riku Voipio <riku.voipio@iki.fi>,
Arnaud Patard <arnaud.patard@rtp-net.org>
Subject: [Qemu-devel] [PATCH 2/5] linux-user: check some parameters for some socket syscalls.
Date: Tue, 30 Jun 2009 17:15:08 +0300 [thread overview]
Message-ID: <643d02cfabc84fa622c3535b5d69b9ca511390bf.1246370192.git.riku.voipio@iki.fi> (raw)
In-Reply-To: <cover.1246370192.git.riku.voipio@iki.fi>
In-Reply-To: <cover.1246370192.git.riku.voipio@iki.fi>
From: Arnaud Patard <arnaud.patard@rtp-net.org>
From: Arnaud Patard <arnaud.patard@rtp-net.org>
This patch is fixing following issues :
- commit 8fea36025b9d6d360ff3b78f88a84ccf221807e8 was applied to
do_getsockname instead of do_accept.
- Some syscalls were not checking properly the memory addresses passed
as argument
- Add check before syscalls made for cases like do_getpeername() where
we're using the address parameter after doing the syscall
- Fix do_accept to return EINVAL instead of EFAULT when parameters
invalid to match with linux behaviour
Signed-off-by: Arnaud Patard <arnaud.patard@rtp-net.org>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
---
linux-user/syscall.c | 42 ++++++++++++++++++++++++++++++++++--------
1 files changed, 34 insertions(+), 8 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 11564fd..a96e86a 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1498,13 +1498,17 @@ static abi_long do_bind(int sockfd, abi_ulong target_addr,
socklen_t addrlen)
{
void *addr;
+ abi_long ret;
if (addrlen < 0)
return -TARGET_EINVAL;
addr = alloca(addrlen+1);
- target_to_host_sockaddr(addr, target_addr, addrlen);
+ ret = target_to_host_sockaddr(addr, target_addr, addrlen);
+ if (ret)
+ return ret;
+
return get_errno(bind(sockfd, addr, addrlen));
}
@@ -1513,13 +1517,17 @@ static abi_long do_connect(int sockfd, abi_ulong target_addr,
socklen_t addrlen)
{
void *addr;
+ abi_long ret;
if (addrlen < 0)
return -TARGET_EINVAL;
addr = alloca(addrlen);
- target_to_host_sockaddr(addr, target_addr, addrlen);
+ ret = target_to_host_sockaddr(addr, target_addr, addrlen);
+ if (ret)
+ return ret;
+
return get_errno(connect(sockfd, addr, addrlen));
}
@@ -1543,8 +1551,12 @@ static abi_long do_sendrecvmsg(int fd, abi_ulong target_msg,
if (msgp->msg_name) {
msg.msg_namelen = tswap32(msgp->msg_namelen);
msg.msg_name = alloca(msg.msg_namelen);
- target_to_host_sockaddr(msg.msg_name, tswapl(msgp->msg_name),
+ ret = target_to_host_sockaddr(msg.msg_name, tswapl(msgp->msg_name),
msg.msg_namelen);
+ if (ret) {
+ unlock_user_struct(msgp, target_msg, send ? 0 : 1);
+ return ret;
+ }
} else {
msg.msg_name = NULL;
msg.msg_namelen = 0;
@@ -1586,12 +1598,19 @@ static abi_long do_accept(int fd, abi_ulong target_addr,
void *addr;
abi_long ret;
+ if (target_addr == 0)
+ return get_errno(accept(fd, NULL, NULL));
+
+ /* linux returns EINVAL if addrlen pointer is invalid */
if (get_user_u32(addrlen, target_addrlen_addr))
- return -TARGET_EFAULT;
+ return -TARGET_EINVAL;
if (addrlen < 0)
return -TARGET_EINVAL;
+ if (!access_ok(VERIFY_WRITE, target_addr, addrlen))
+ return -TARGET_EINVAL;
+
addr = alloca(addrlen);
ret = get_errno(accept(fd, addr, &addrlen));
@@ -1617,6 +1636,9 @@ static abi_long do_getpeername(int fd, abi_ulong target_addr,
if (addrlen < 0)
return -TARGET_EINVAL;
+ if (!access_ok(VERIFY_WRITE, target_addr, addrlen))
+ return -TARGET_EFAULT;
+
addr = alloca(addrlen);
ret = get_errno(getpeername(fd, addr, &addrlen));
@@ -1636,15 +1658,15 @@ static abi_long do_getsockname(int fd, abi_ulong target_addr,
void *addr;
abi_long ret;
- if (target_addr == 0)
- return get_errno(accept(fd, NULL, NULL));
-
if (get_user_u32(addrlen, target_addrlen_addr))
return -TARGET_EFAULT;
if (addrlen < 0)
return -TARGET_EINVAL;
+ if (!access_ok(VERIFY_WRITE, target_addr, addrlen))
+ return -TARGET_EFAULT;
+
addr = alloca(addrlen);
ret = get_errno(getsockname(fd, addr, &addrlen));
@@ -1688,7 +1710,11 @@ static abi_long do_sendto(int fd, abi_ulong msg, size_t len, int flags,
return -TARGET_EFAULT;
if (target_addr) {
addr = alloca(addrlen);
- target_to_host_sockaddr(addr, target_addr, addrlen);
+ ret = target_to_host_sockaddr(addr, target_addr, addrlen);
+ if (ret) {
+ unlock_user(host_msg, msg, 0);
+ return ret;
+ }
ret = get_errno(sendto(fd, host_msg, len, flags, addr, addrlen));
} else {
ret = get_errno(send(fd, host_msg, len, flags));
--
1.6.2.1
next prev parent reply other threads:[~2009-06-30 14:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-30 14:15 [Qemu-devel] [PATCH 0/5] Fixes for linux-user riku.voipio
2009-06-30 14:15 ` [Qemu-devel] [PATCH 1/5] linux-user: increment MAX_ARG_PAGES riku.voipio
2009-06-30 14:15 ` riku.voipio [this message]
2009-06-30 14:15 ` [Qemu-devel] [PATCH 3/5] linux-user: do not avoid dumping of qemu itself riku.voipio
2009-06-30 14:52 ` Paul Brook
2009-06-30 17:01 ` Riku Voipio
2009-07-01 20:34 ` Arnaud Patard
2009-07-01 23:31 ` Paul Brook
2009-07-02 2:19 ` Jamie Lokier
2009-07-02 13:19 ` Paul Brook
2009-07-02 20:01 ` Riku Voipio
2009-07-03 2:25 ` Jamie Lokier
2009-07-03 2:20 ` Jamie Lokier
2009-06-30 14:15 ` [Qemu-devel] [PATCH 4/5] linux-user/syscall.c: remove warning: ‘array’ may be used uninitialized in this function riku.voipio
2009-06-30 14:15 ` [Qemu-devel] [PATCH 5/5] configure: remove bogus linux-user check riku.voipio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=643d02cfabc84fa622c3535b5d69b9ca511390bf.1246370192.git.riku.voipio@iki.fi \
--to=riku.voipio@iki.fi \
--cc=arnaud.patard@rtp-net.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).