On 2/10/23 13:18, Warner Losh wrote:
> +abi_long do_freebsd_sysctl(CPUArchState *env, abi_ulong namep, int32_t namelen,
> + abi_ulong oldp, abi_ulong oldlenp, abi_ulong newp, abi_ulong newlen)
> +{
> + abi_long ret;
> + void *hnamep, *holdp = NULL, *hnewp = NULL;
> + size_t holdlen;
> + abi_ulong oldlen = 0;
> + int32_t *snamep = g_malloc(sizeof(int32_t) * namelen), *p, *q, i;
> +
> + if (oldlenp) {
> + if (get_user_ual(oldlen, oldlenp)) {
> + return -TARGET_EFAULT;
> + }
> + }
You need to check for write early. Either access_ok, or lock_user.
> + for (p = hnamep, q = snamep, i = 0; i < namelen; p++, i++) {
> + *q++ = tswap32(*p);
> + }
Why the inconsistent increments?
no reason... Fixed.
> + unlock_user(holdp, oldp, holdlen);
Usually we don't want writeback on error.
Indeed. Fixed as well.. in the other fixes for error handling.