[Qemu-devel] [PATCH 064/108] linux-user: Don't overrun guest buffer in s

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH 064/108] linux-user: Don't overrun guest buffer in s

From:	Michael Roth
Subject:	[Qemu-devel] [PATCH 064/108] linux-user: Don't overrun guest buffer in sched_getaffinity
Date:	Wed, 6 Aug 2014 15:39:14 -0500

From: Peter Maydell <address@hidden>

If the guest's "long" type is smaller than the host's, then
our sched_getaffinity wrapper needs to round the buffer size
up to a multiple of the host sizeof(long). This means that when
we copy the data back from the host buffer to the guest's
buffer there might be more than we can fit. Rather than
overflowing the guest's buffer, handle this case by returning
EINVAL or ignoring the unused extra space, as appropriate.

Note that only guests using the syscall interface directly might
run into this bug -- the glibc wrappers around it will always
use a buffer whose size is a multiple of 8 regardless of guest
architecture.

Signed-off-by: Peter Maydell <address@hidden>
Signed-off-by: Riku Voipio <address@hidden>
(cherry picked from commit be3bd286bc06bb68cdc71748d9dd4edcd57b2b24)
Signed-off-by: Michael Roth <address@hidden>
---
 linux-user/syscall.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 9864813..2d28bdb 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -7499,6 +7499,22 @@ abi_long do_syscall(void *cpu_env, int num, abi_long 
arg1,
             ret = get_errno(sys_sched_getaffinity(arg1, mask_size, mask));
 
             if (!is_error(ret)) {
+                if (ret > arg2) {
+                    /* More data returned than the caller's buffer will fit.
+                     * This only happens if sizeof(abi_long) < sizeof(long)
+                     * and the caller passed us a buffer holding an odd number
+                     * of abi_longs. If the host kernel is actually using the
+                     * extra 4 bytes then fail EINVAL; otherwise we can just
+                     * ignore them and only copy the interesting part.
+                     */
+                    int numcpus = sysconf(_SC_NPROCESSORS_CONF);
+                    if (numcpus > arg2 * 8) {
+                        ret = -TARGET_EINVAL;
+                        break;
+                    }
+                    ret = arg2;
+                }
+
                 if (copy_to_user(arg3, mask, ret)) {
                     goto efault;
                 }
-- 
1.9.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH 050/108] virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path, (continued)
- [Qemu-devel] [PATCH 050/108] virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 053/108] input (curses): mask keycodes to remove modifier bits, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 054/108] qemu-img: Plug memory leak in convert command, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 055/108] block/sheepdog: Plug memory leak in sd_snapshot_create(), Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 056/108] block/vvfat: Plug memory leak in read_directory(), Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 057/108] block/vvfat: Plug memory leak in check_directory_consistency(), Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 058/108] block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 059/108] blockdev: Plug memory leak in drive_init(), Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 060/108] blockdev: Plug memory leak in blockdev_init(), Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 062/108] block: Plug memory leak on brv_open_image() error path, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 064/108] linux-user: Don't overrun guest buffer in sched_getaffinity, Michael Roth <=
- [Qemu-devel] [PATCH 063/108] qcow2: Plug memory leak on qcow2_invalidate_cache() error paths, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 061/108] qemu-io: Plug memory leak in open command, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 065/108] tcg-i386: Fix win64 qemu store, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 066/108] target-arm: Fix errors in writes to generic timer control registers, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 034/108] qdev: Fix crash by validating the object type, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 067/108] s390x/css: handle emw correctly for tsch, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 068/108] aio: fix qemu_bh_schedule() bh->ctx race condition, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 070/108] migration: remove duplicate code, Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 069/108] qga: Fix handle fd leak in acquire_privilege(), Michael Roth, 2014/08/06
- [Qemu-devel] [PATCH 071/108] arch_init: Be sure of only one exit entry with DPRINTF() for ram_load(), Michael Roth, 2014/08/06

Prev by Date: [Qemu-devel] [PATCH 062/108] block: Plug memory leak on brv_open_image() error path
Next by Date: [Qemu-devel] [PATCH 063/108] qcow2: Plug memory leak on qcow2_invalidate_cache() error paths
Previous by thread: [Qemu-devel] [PATCH 062/108] block: Plug memory leak on brv_open_image() error path
Next by thread: [Qemu-devel] [PATCH 063/108] qcow2: Plug memory leak on qcow2_invalidate_cache() error paths
Index(es):
- Date
- Thread