aboutsummaryrefslogtreecommitdiff
path: root/linux-user
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2016-07-18 15:35:59 +0100
committerRiku Voipio <riku.voipio@linaro.org>2016-09-21 14:25:26 +0300
commit2ba7fae3bd688f5bb6cb08defc731d77e6bd943c (patch)
treea2138d834c2f9d056db7c55b26118b554865be46 /linux-user
parent700fa58e4b9100d6bd77df06d2e5d1f457720c4d (diff)
downloadqemu-2ba7fae3bd688f5bb6cb08defc731d77e6bd943c.zip
qemu-2ba7fae3bd688f5bb6cb08defc731d77e6bd943c.tar.gz
qemu-2ba7fae3bd688f5bb6cb08defc731d77e6bd943c.tar.bz2
linux-user: Check for bad event numbers in epoll_wait
The kernel checks that the maxevents parameter to epoll_wait is non-negative and not larger than EP_MAX_EVENTS. Add this check to our implementation, so that: * we fail these cases EINVAL rather than EFAULT * we don't pass negative or overflowing values to the lock_user() size calculation Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Diffstat (limited to 'linux-user')
-rw-r--r--linux-user/syscall.c5
-rw-r--r--linux-user/syscall_defs.h3
2 files changed, 8 insertions, 0 deletions
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 21ae996..eecccbb 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -11501,6 +11501,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
int maxevents = arg3;
int timeout = arg4;
+ if (maxevents <= 0 || maxevents > TARGET_EP_MAX_EVENTS) {
+ ret = -TARGET_EINVAL;
+ break;
+ }
+
target_ep = lock_user(VERIFY_WRITE, arg2,
maxevents * sizeof(struct target_epoll_event), 1);
if (!target_ep) {
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index c0e5cb0..5c19c5c 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2585,6 +2585,9 @@ struct target_epoll_event {
abi_uint events;
target_epoll_data_t data;
} TARGET_EPOLL_PACKED;
+
+#define TARGET_EP_MAX_EVENTS (INT_MAX / sizeof(struct target_epoll_event))
+
#endif
struct target_rlimit64 {
uint64_t rlim_cur;