Commit ce9c139d authored by Peter Maydell's avatar Peter Maydell Committed by Riku Voipio
Browse files

linux-user: Range check the nfds argument to ppoll syscall 



Do an initial range check on the ppoll syscall's nfds argument,
to avoid possible overflow in the calculation of the lock_user()
size argument. The host kernel will later apply the rather lower
limit based on RLIMIT_NOFILE as appropriate.

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: default avatarRiku Voipio <riku.voipio@linaro.org>
parent 2ba7fae3

linux-user/syscall.c

+5 −0
Original line number Diff line number Diff line
@@ -9661,6 +9661,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, 
            pfd = NULL;

            target_pfd = NULL;

            if (nfds) {

                if (nfds > (INT_MAX / sizeof(struct target_pollfd))) {

                    ret = -TARGET_EINVAL;

                    break;

                }



                target_pfd = lock_user(VERIFY_WRITE, arg1,

                                       sizeof(struct target_pollfd) * nfds, 1);

                if (!target_pfd) {