From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:35626)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <vapier.adi@gmail.com>) id 1QBA52-00080r-2X
	for qemu-devel@nongnu.org; Sat, 16 Apr 2011 14:18:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <vapier.adi@gmail.com>) id 1QBA50-00043L-WB
	for qemu-devel@nongnu.org; Sat, 16 Apr 2011 14:18:48 -0400
Received: from mail-gw0-f45.google.com ([74.125.83.45]:59296)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <vapier.adi@gmail.com>) id 1QBA50-00043F-Q2
	for qemu-devel@nongnu.org; Sat, 16 Apr 2011 14:18:46 -0400
Received: by gwb19 with SMTP id 19so1786757gwb.4
	for <qemu-devel@nongnu.org>; Sat, 16 Apr 2011 11:18:46 -0700 (PDT)
MIME-Version: 1.0
Sender: vapier.adi@gmail.com
In-Reply-To: <20110416091623.GB22205@stefanha-thinkpad.localdomain>
References: <4DA3CB84.5080503@samsung.com>
	<20110416091623.GB22205@stefanha-thinkpad.localdomain>
From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 16 Apr 2011 14:18:26 -0400
Message-ID: <BANLkTi=49ntqnDJdkM0Q+rtK1SZ=Xo3v-w@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] [PATCH] Fix buffer overrun in sched_getaffinity
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <http://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Mike McCormack <mj.mccormack@samsung.com>, Riku Voipio <riku.voipio@nokia.com>, qemu-devel@nongnu.org

On Sat, Apr 16, 2011 at 05:16, Stefan Hajnoczi wrote:
> On Tue, Apr 12, 2011 at 12:48:20PM +0900, Mike McCormack wrote:
>> Zeroing of the cpu array should start from &cpus[kernel_ret]
>> not &cpus[num_zeros_to_fill].
>>
>> This fixes a crash in EFL's edje_cc running under qemu-arm.
>>
>> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
>> index bb0999d..1cda10a 100644
>> --- a/linux-user/syscall.c
>> +++ b/linux-user/syscall.c
>> @@ -6389,7 +6389,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_lo=
ng arg1,
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0unsigned long zero =3D arg2 - ret;
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0p =3D alloca(zero);
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0memset(p, 0, zero);
>> - =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0i=
f (copy_to_user(arg3 + zero, p, zero)) {
>> + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0i=
f (copy_to_user(arg3 + ret, p, zero)) {
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0goto efault;
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0}
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0arg2 =3D ret;
>
> Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
>
> Note that mainline Linux does not zero unwritten bytes. =C2=A0I would dro=
p
> the entire arg2 > ret case and instead copy only ret bytes to user.

both changes make sense to me
Acked-by: Mike Frysinger <vapier@gentoo.org>
-mike