* [Qemu-devel] [PATCH 0/2] linux-user: minor epoll_wait fixes
@ 2016-07-18 14:35 Peter Maydell
2016-07-18 14:35 ` [Qemu-devel] [PATCH 1/2] linux-user: Check for bad event numbers in epoll_wait Peter Maydell
2016-07-18 14:36 ` [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array Peter Maydell
0 siblings, 2 replies; 5+ messages in thread
From: Peter Maydell @ 2016-07-18 14:35 UTC (permalink / raw)
To: qemu-devel; +Cc: patches, Riku Voipio
This patchset fixes a couple of minor problems in epoll_wait
and epoll_pwait:
* we weren't checking an argument for sanity, so we would
fail EFAULT rather than EINVAL for cases like negative
lengths (thus failing an LTP testcase)
* we were using alloca() to allocate an array whose length
is set by the guest
Peter Maydell (2):
linux-user: Check for bad event numbers in epoll_wait
linux-user: Don't use alloca() for epoll_wait's epoll event array
linux-user/syscall.c | 22 ++++++++++++++++++----
linux-user/syscall_defs.h | 3 +++
2 files changed, 21 insertions(+), 4 deletions(-)
--
1.9.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 1/2] linux-user: Check for bad event numbers in epoll_wait
2016-07-18 14:35 [Qemu-devel] [PATCH 0/2] linux-user: minor epoll_wait fixes Peter Maydell
@ 2016-07-18 14:35 ` Peter Maydell
2016-07-18 14:36 ` [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array Peter Maydell
1 sibling, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2016-07-18 14:35 UTC (permalink / raw)
To: qemu-devel; +Cc: patches, Riku Voipio
The kernel checks that the maxevents parameter to epoll_wait
is non-negative and not larger than EP_MAX_EVENTS. Add this
check to our implementation, so that:
* we fail these cases EINVAL rather than EFAULT
* we don't pass negative or overflowing values to the
lock_user() size calculation
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
This fixes an LTP epoll_wait03 test case that checks a
negative max_events argument.
---
linux-user/syscall.c | 5 +++++
linux-user/syscall_defs.h | 3 +++
2 files changed, 8 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index fe72abe..3552295 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -11024,6 +11024,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
int maxevents = arg3;
int timeout = arg4;
+ if (maxevents <= 0 || maxevents > TARGET_EP_MAX_EVENTS) {
+ ret = -TARGET_EINVAL;
+ break;
+ }
+
target_ep = lock_user(VERIFY_WRITE, arg2,
maxevents * sizeof(struct target_epoll_event), 1);
if (!target_ep) {
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index d9dea0e..dbf6a38 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2585,6 +2585,9 @@ struct target_epoll_event {
abi_uint events;
target_epoll_data_t data;
} TARGET_EPOLL_PACKED;
+
+#define TARGET_EP_MAX_EVENTS (INT_MAX / sizeof(struct target_epoll_event))
+
#endif
struct target_rlimit64 {
uint64_t rlim_cur;
--
1.9.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array
2016-07-18 14:35 [Qemu-devel] [PATCH 0/2] linux-user: minor epoll_wait fixes Peter Maydell
2016-07-18 14:35 ` [Qemu-devel] [PATCH 1/2] linux-user: Check for bad event numbers in epoll_wait Peter Maydell
@ 2016-07-18 14:36 ` Peter Maydell
2016-10-04 13:09 ` Peter Maydell
1 sibling, 1 reply; 5+ messages in thread
From: Peter Maydell @ 2016-07-18 14:36 UTC (permalink / raw)
To: qemu-devel; +Cc: patches, Riku Voipio
The epoll event array which epoll_wait() allocates has a size
determined by the guest which could potentially be quite large.
Use g_try_new() rather than alloca() so that we can fail more
cleanly if the guest hands us an oversize value. (ENOMEM is
not a documented return value for epoll_wait() but in practice
some kernel configurations can return it -- see for instance
sys_oabi_epoll_wait() on ARM.)
This rearrangement includes fixing a bug where we were
incorrectly passing a negative length to unlock_user() in
the error-exit codepath.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
linux-user/syscall.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 3552295..721d7b1 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -11035,7 +11035,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
goto efault;
}
- ep = alloca(maxevents * sizeof(struct epoll_event));
+ ep = g_try_new(struct epoll_event, maxevents);
+ if (!ep) {
+ unlock_user(target_ep, arg2, 0);
+ ret = -TARGET_ENOMEM;
+ break;
+ }
switch (num) {
#if defined(TARGET_NR_epoll_pwait)
@@ -11053,8 +11058,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
target_set = lock_user(VERIFY_READ, arg5,
sizeof(target_sigset_t), 1);
if (!target_set) {
- unlock_user(target_ep, arg2, 0);
- goto efault;
+ ret = -TARGET_EFAULT;
+ break;
}
target_to_host_sigset(set, target_set);
unlock_user(target_set, arg5, 0);
@@ -11082,8 +11087,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
target_ep[i].events = tswap32(ep[i].events);
target_ep[i].data.u64 = tswap64(ep[i].data.u64);
}
+ unlock_user(target_ep, arg2,
+ ret * sizeof(struct target_epoll_event));
+ } else {
+ unlock_user(target_ep, arg2, 0);
}
- unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event));
+ g_free(ep);
break;
}
#endif
--
1.9.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array
2016-07-18 14:36 ` [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array Peter Maydell
@ 2016-10-04 13:09 ` Peter Maydell
2016-10-05 18:42 ` Riku Voipio
0 siblings, 1 reply; 5+ messages in thread
From: Peter Maydell @ 2016-10-04 13:09 UTC (permalink / raw)
To: QEMU Developers; +Cc: Riku Voipio, Patch Tracking
Ping? It looks like patch 1/2 of this series got into the
recent linux-user pullreq, but this one (2/2) didn't. Do
you want a resend as a standalone patch?
thanks
-- PMM
On 18 July 2016 at 15:36, Peter Maydell <peter.maydell@linaro.org> wrote:
> The epoll event array which epoll_wait() allocates has a size
> determined by the guest which could potentially be quite large.
> Use g_try_new() rather than alloca() so that we can fail more
> cleanly if the guest hands us an oversize value. (ENOMEM is
> not a documented return value for epoll_wait() but in practice
> some kernel configurations can return it -- see for instance
> sys_oabi_epoll_wait() on ARM.)
>
> This rearrangement includes fixing a bug where we were
> incorrectly passing a negative length to unlock_user() in
> the error-exit codepath.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> linux-user/syscall.c | 17 +++++++++++++----
> 1 file changed, 13 insertions(+), 4 deletions(-)
>
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 3552295..721d7b1 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -11035,7 +11035,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
> goto efault;
> }
>
> - ep = alloca(maxevents * sizeof(struct epoll_event));
> + ep = g_try_new(struct epoll_event, maxevents);
> + if (!ep) {
> + unlock_user(target_ep, arg2, 0);
> + ret = -TARGET_ENOMEM;
> + break;
> + }
>
> switch (num) {
> #if defined(TARGET_NR_epoll_pwait)
> @@ -11053,8 +11058,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
> target_set = lock_user(VERIFY_READ, arg5,
> sizeof(target_sigset_t), 1);
> if (!target_set) {
> - unlock_user(target_ep, arg2, 0);
> - goto efault;
> + ret = -TARGET_EFAULT;
> + break;
> }
> target_to_host_sigset(set, target_set);
> unlock_user(target_set, arg5, 0);
> @@ -11082,8 +11087,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
> target_ep[i].events = tswap32(ep[i].events);
> target_ep[i].data.u64 = tswap64(ep[i].data.u64);
> }
> + unlock_user(target_ep, arg2,
> + ret * sizeof(struct target_epoll_event));
> + } else {
> + unlock_user(target_ep, arg2, 0);
> }
> - unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event));
> + g_free(ep);
> break;
> }
> #endif
> --
> 1.9.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array
2016-10-04 13:09 ` Peter Maydell
@ 2016-10-05 18:42 ` Riku Voipio
0 siblings, 0 replies; 5+ messages in thread
From: Riku Voipio @ 2016-10-05 18:42 UTC (permalink / raw)
To: Peter Maydell; +Cc: QEMU Developers, Patch Tracking
On Tue, Oct 04, 2016 at 02:09:33PM +0100, Peter Maydell wrote:
> Ping? It looks like patch 1/2 of this series got into the
> recent linux-user pullreq, but this one (2/2) didn't. Do
> you want a resend as a standalone patch?
No need, I've pulled it from patchwork, for some reason this didn't get to
my mailbox...
> On 18 July 2016 at 15:36, Peter Maydell <peter.maydell@linaro.org> wrote:
> > The epoll event array which epoll_wait() allocates has a size
> > determined by the guest which could potentially be quite large.
> > Use g_try_new() rather than alloca() so that we can fail more
> > cleanly if the guest hands us an oversize value. (ENOMEM is
> > not a documented return value for epoll_wait() but in practice
> > some kernel configurations can return it -- see for instance
> > sys_oabi_epoll_wait() on ARM.)
> >
> > This rearrangement includes fixing a bug where we were
> > incorrectly passing a negative length to unlock_user() in
> > the error-exit codepath.
> >
> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> > ---
> > linux-user/syscall.c | 17 +++++++++++++----
> > 1 file changed, 13 insertions(+), 4 deletions(-)
> >
> > diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> > index 3552295..721d7b1 100644
> > --- a/linux-user/syscall.c
> > +++ b/linux-user/syscall.c
> > @@ -11035,7 +11035,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
> > goto efault;
> > }
> >
> > - ep = alloca(maxevents * sizeof(struct epoll_event));
> > + ep = g_try_new(struct epoll_event, maxevents);
> > + if (!ep) {
> > + unlock_user(target_ep, arg2, 0);
> > + ret = -TARGET_ENOMEM;
> > + break;
> > + }
> >
> > switch (num) {
> > #if defined(TARGET_NR_epoll_pwait)
> > @@ -11053,8 +11058,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
> > target_set = lock_user(VERIFY_READ, arg5,
> > sizeof(target_sigset_t), 1);
> > if (!target_set) {
> > - unlock_user(target_ep, arg2, 0);
> > - goto efault;
> > + ret = -TARGET_EFAULT;
> > + break;
> > }
> > target_to_host_sigset(set, target_set);
> > unlock_user(target_set, arg5, 0);
> > @@ -11082,8 +11087,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
> > target_ep[i].events = tswap32(ep[i].events);
> > target_ep[i].data.u64 = tswap64(ep[i].data.u64);
> > }
> > + unlock_user(target_ep, arg2,
> > + ret * sizeof(struct target_epoll_event));
> > + } else {
> > + unlock_user(target_ep, arg2, 0);
> > }
> > - unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event));
> > + g_free(ep);
> > break;
> > }
> > #endif
> > --
> > 1.9.1
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-10-05 18:43 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-18 14:35 [Qemu-devel] [PATCH 0/2] linux-user: minor epoll_wait fixes Peter Maydell
2016-07-18 14:35 ` [Qemu-devel] [PATCH 1/2] linux-user: Check for bad event numbers in epoll_wait Peter Maydell
2016-07-18 14:36 ` [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array Peter Maydell
2016-10-04 13:09 ` Peter Maydell
2016-10-05 18:42 ` Riku Voipio
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.