Commit 2ba7fae3 authored Jul 18, 2016 by Peter Maydell Committed by Riku Voipio Sep 21, 2016

linux-user: Check for bad event numbers in epoll_wait



The kernel checks that the maxevents parameter to epoll_wait
is non-negative and not larger than EP_MAX_EVENTS. Add this
check to our implementation, so that:
 * we fail these cases EINVAL rather than EFAULT
 * we don't pass negative or overflowing values to the
   lock_user() size calculation

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>

parent 700fa58e

linux-user/syscall.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -11501,6 +11501,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
		int maxevents = arg3;
		int timeout = arg4;

		if (maxevents <= 0 \|\| maxevents > TARGET_EP_MAX_EVENTS) {
		ret = -TARGET_EINVAL;
		break;
		}

		target_ep = lock_user(VERIFY_WRITE, arg2,
		maxevents * sizeof(struct target_epoll_event), 1);
		if (!target_ep) {

linux-user/syscall_defs.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -2585,6 +2585,9 @@ struct target_epoll_event {
		abi_uint events;
		target_epoll_data_t data;
		} TARGET_EPOLL_PACKED;

		#define TARGET_EP_MAX_EVENTS (INT_MAX / sizeof(struct target_epoll_event))

		#endif
		struct target_rlimit64 {
		uint64_t rlim_cur;