* [Qemu-devel] [PATCH 0/2] linux-user: minor epoll_wait fixes @ 2016-07-18 14:35 Peter Maydell 2016-07-18 14:35 ` [Qemu-devel] [PATCH 1/2] linux-user: Check for bad event numbers in epoll_wait Peter Maydell 2016-07-18 14:36 ` [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array Peter Maydell 0 siblings, 2 replies; 5+ messages in thread From: Peter Maydell @ 2016-07-18 14:35 UTC (permalink / raw) To: qemu-devel; +Cc: patches, Riku Voipio This patchset fixes a couple of minor problems in epoll_wait and epoll_pwait: * we weren't checking an argument for sanity, so we would fail EFAULT rather than EINVAL for cases like negative lengths (thus failing an LTP testcase) * we were using alloca() to allocate an array whose length is set by the guest Peter Maydell (2): linux-user: Check for bad event numbers in epoll_wait linux-user: Don't use alloca() for epoll_wait's epoll event array linux-user/syscall.c | 22 ++++++++++++++++++---- linux-user/syscall_defs.h | 3 +++ 2 files changed, 21 insertions(+), 4 deletions(-) -- 1.9.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 1/2] linux-user: Check for bad event numbers in epoll_wait 2016-07-18 14:35 [Qemu-devel] [PATCH 0/2] linux-user: minor epoll_wait fixes Peter Maydell @ 2016-07-18 14:35 ` Peter Maydell 2016-07-18 14:36 ` [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array Peter Maydell 1 sibling, 0 replies; 5+ messages in thread From: Peter Maydell @ 2016-07-18 14:35 UTC (permalink / raw) To: qemu-devel; +Cc: patches, Riku Voipio The kernel checks that the maxevents parameter to epoll_wait is non-negative and not larger than EP_MAX_EVENTS. Add this check to our implementation, so that: * we fail these cases EINVAL rather than EFAULT * we don't pass negative or overflowing values to the lock_user() size calculation Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- This fixes an LTP epoll_wait03 test case that checks a negative max_events argument. --- linux-user/syscall.c | 5 +++++ linux-user/syscall_defs.h | 3 +++ 2 files changed, 8 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index fe72abe..3552295 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -11024,6 +11024,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, int maxevents = arg3; int timeout = arg4; + if (maxevents <= 0 || maxevents > TARGET_EP_MAX_EVENTS) { + ret = -TARGET_EINVAL; + break; + } + target_ep = lock_user(VERIFY_WRITE, arg2, maxevents * sizeof(struct target_epoll_event), 1); if (!target_ep) { diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h index d9dea0e..dbf6a38 100644 --- a/linux-user/syscall_defs.h +++ b/linux-user/syscall_defs.h @@ -2585,6 +2585,9 @@ struct target_epoll_event { abi_uint events; target_epoll_data_t data; } TARGET_EPOLL_PACKED; + +#define TARGET_EP_MAX_EVENTS (INT_MAX / sizeof(struct target_epoll_event)) + #endif struct target_rlimit64 { uint64_t rlim_cur; -- 1.9.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array 2016-07-18 14:35 [Qemu-devel] [PATCH 0/2] linux-user: minor epoll_wait fixes Peter Maydell 2016-07-18 14:35 ` [Qemu-devel] [PATCH 1/2] linux-user: Check for bad event numbers in epoll_wait Peter Maydell @ 2016-07-18 14:36 ` Peter Maydell 2016-10-04 13:09 ` Peter Maydell 1 sibling, 1 reply; 5+ messages in thread From: Peter Maydell @ 2016-07-18 14:36 UTC (permalink / raw) To: qemu-devel; +Cc: patches, Riku Voipio The epoll event array which epoll_wait() allocates has a size determined by the guest which could potentially be quite large. Use g_try_new() rather than alloca() so that we can fail more cleanly if the guest hands us an oversize value. (ENOMEM is not a documented return value for epoll_wait() but in practice some kernel configurations can return it -- see for instance sys_oabi_epoll_wait() on ARM.) This rearrangement includes fixing a bug where we were incorrectly passing a negative length to unlock_user() in the error-exit codepath. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- linux-user/syscall.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 3552295..721d7b1 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -11035,7 +11035,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, goto efault; } - ep = alloca(maxevents * sizeof(struct epoll_event)); + ep = g_try_new(struct epoll_event, maxevents); + if (!ep) { + unlock_user(target_ep, arg2, 0); + ret = -TARGET_ENOMEM; + break; + } switch (num) { #if defined(TARGET_NR_epoll_pwait) @@ -11053,8 +11058,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, target_set = lock_user(VERIFY_READ, arg5, sizeof(target_sigset_t), 1); if (!target_set) { - unlock_user(target_ep, arg2, 0); - goto efault; + ret = -TARGET_EFAULT; + break; } target_to_host_sigset(set, target_set); unlock_user(target_set, arg5, 0); @@ -11082,8 +11087,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, target_ep[i].events = tswap32(ep[i].events); target_ep[i].data.u64 = tswap64(ep[i].data.u64); } + unlock_user(target_ep, arg2, + ret * sizeof(struct target_epoll_event)); + } else { + unlock_user(target_ep, arg2, 0); } - unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event)); + g_free(ep); break; } #endif -- 1.9.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array 2016-07-18 14:36 ` [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array Peter Maydell @ 2016-10-04 13:09 ` Peter Maydell 2016-10-05 18:42 ` Riku Voipio 0 siblings, 1 reply; 5+ messages in thread From: Peter Maydell @ 2016-10-04 13:09 UTC (permalink / raw) To: QEMU Developers; +Cc: Riku Voipio, Patch Tracking Ping? It looks like patch 1/2 of this series got into the recent linux-user pullreq, but this one (2/2) didn't. Do you want a resend as a standalone patch? thanks -- PMM On 18 July 2016 at 15:36, Peter Maydell <peter.maydell@linaro.org> wrote: > The epoll event array which epoll_wait() allocates has a size > determined by the guest which could potentially be quite large. > Use g_try_new() rather than alloca() so that we can fail more > cleanly if the guest hands us an oversize value. (ENOMEM is > not a documented return value for epoll_wait() but in practice > some kernel configurations can return it -- see for instance > sys_oabi_epoll_wait() on ARM.) > > This rearrangement includes fixing a bug where we were > incorrectly passing a negative length to unlock_user() in > the error-exit codepath. > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > linux-user/syscall.c | 17 +++++++++++++---- > 1 file changed, 13 insertions(+), 4 deletions(-) > > diff --git a/linux-user/syscall.c b/linux-user/syscall.c > index 3552295..721d7b1 100644 > --- a/linux-user/syscall.c > +++ b/linux-user/syscall.c > @@ -11035,7 +11035,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > goto efault; > } > > - ep = alloca(maxevents * sizeof(struct epoll_event)); > + ep = g_try_new(struct epoll_event, maxevents); > + if (!ep) { > + unlock_user(target_ep, arg2, 0); > + ret = -TARGET_ENOMEM; > + break; > + } > > switch (num) { > #if defined(TARGET_NR_epoll_pwait) > @@ -11053,8 +11058,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > target_set = lock_user(VERIFY_READ, arg5, > sizeof(target_sigset_t), 1); > if (!target_set) { > - unlock_user(target_ep, arg2, 0); > - goto efault; > + ret = -TARGET_EFAULT; > + break; > } > target_to_host_sigset(set, target_set); > unlock_user(target_set, arg5, 0); > @@ -11082,8 +11087,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > target_ep[i].events = tswap32(ep[i].events); > target_ep[i].data.u64 = tswap64(ep[i].data.u64); > } > + unlock_user(target_ep, arg2, > + ret * sizeof(struct target_epoll_event)); > + } else { > + unlock_user(target_ep, arg2, 0); > } > - unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event)); > + g_free(ep); > break; > } > #endif > -- > 1.9.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array 2016-10-04 13:09 ` Peter Maydell @ 2016-10-05 18:42 ` Riku Voipio 0 siblings, 0 replies; 5+ messages in thread From: Riku Voipio @ 2016-10-05 18:42 UTC (permalink / raw) To: Peter Maydell; +Cc: QEMU Developers, Patch Tracking On Tue, Oct 04, 2016 at 02:09:33PM +0100, Peter Maydell wrote: > Ping? It looks like patch 1/2 of this series got into the > recent linux-user pullreq, but this one (2/2) didn't. Do > you want a resend as a standalone patch? No need, I've pulled it from patchwork, for some reason this didn't get to my mailbox... > On 18 July 2016 at 15:36, Peter Maydell <peter.maydell@linaro.org> wrote: > > The epoll event array which epoll_wait() allocates has a size > > determined by the guest which could potentially be quite large. > > Use g_try_new() rather than alloca() so that we can fail more > > cleanly if the guest hands us an oversize value. (ENOMEM is > > not a documented return value for epoll_wait() but in practice > > some kernel configurations can return it -- see for instance > > sys_oabi_epoll_wait() on ARM.) > > > > This rearrangement includes fixing a bug where we were > > incorrectly passing a negative length to unlock_user() in > > the error-exit codepath. > > > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > > --- > > linux-user/syscall.c | 17 +++++++++++++---- > > 1 file changed, 13 insertions(+), 4 deletions(-) > > > > diff --git a/linux-user/syscall.c b/linux-user/syscall.c > > index 3552295..721d7b1 100644 > > --- a/linux-user/syscall.c > > +++ b/linux-user/syscall.c > > @@ -11035,7 +11035,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > > goto efault; > > } > > > > - ep = alloca(maxevents * sizeof(struct epoll_event)); > > + ep = g_try_new(struct epoll_event, maxevents); > > + if (!ep) { > > + unlock_user(target_ep, arg2, 0); > > + ret = -TARGET_ENOMEM; > > + break; > > + } > > > > switch (num) { > > #if defined(TARGET_NR_epoll_pwait) > > @@ -11053,8 +11058,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > > target_set = lock_user(VERIFY_READ, arg5, > > sizeof(target_sigset_t), 1); > > if (!target_set) { > > - unlock_user(target_ep, arg2, 0); > > - goto efault; > > + ret = -TARGET_EFAULT; > > + break; > > } > > target_to_host_sigset(set, target_set); > > unlock_user(target_set, arg5, 0); > > @@ -11082,8 +11087,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, > > target_ep[i].events = tswap32(ep[i].events); > > target_ep[i].data.u64 = tswap64(ep[i].data.u64); > > } > > + unlock_user(target_ep, arg2, > > + ret * sizeof(struct target_epoll_event)); > > + } else { > > + unlock_user(target_ep, arg2, 0); > > } > > - unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event)); > > + g_free(ep); > > break; > > } > > #endif > > -- > > 1.9.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-10-05 18:43 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-07-18 14:35 [Qemu-devel] [PATCH 0/2] linux-user: minor epoll_wait fixes Peter Maydell 2016-07-18 14:35 ` [Qemu-devel] [PATCH 1/2] linux-user: Check for bad event numbers in epoll_wait Peter Maydell 2016-07-18 14:36 ` [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array Peter Maydell 2016-10-04 13:09 ` Peter Maydell 2016-10-05 18:42 ` Riku Voipio
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.