Patchwork linux-user: make bogus negative iovec lengths fail EINVAL

login
register
mail settings
Submitter Peter Maydell
Date Feb. 8, 2013, 5:58 p.m.
Message ID <1360346321-2568-1-git-send-email-peter.maydell@linaro.org>
Download mbox | patch
Permalink /patch/219240/
State New
Headers show

Comments

Peter Maydell - Feb. 8, 2013, 5:58 p.m.
If the guest passes us a bogus negative length for an iovec, fail
EINVAL rather than proceeding blindly forward. This fixes some of
the error cases tests for readv and writev in the LTP.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
I guess I'll resend this mixed bag of linux-user patches as a single
series after the trunk reopens; feel free to review in the meantime :-)

 linux-user/syscall.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Richard Henderson - Feb. 8, 2013, 8:26 p.m.
On 2013-02-08 09:58, Peter Maydell wrote:
> If the guest passes us a bogus negative length for an iovec, fail
> EINVAL rather than proceeding blindly forward. This fixes some of
> the error cases tests for readv and writev in the LTP.
>
> Signed-off-by: Peter Maydell<peter.maydell@linaro.org>
> ---
> I guess I'll resend this mixed bag of linux-user patches as a single
> series after the trunk reopens; feel free to review in the meantime :-)
>
>   linux-user/syscall.c |    2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
Reviewed-by: Richard Henderson <rth@twiddle.net>


r~

Patch

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 35df073..d38eb24 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1779,7 +1779,7 @@  static struct iovec *lock_iovec(int type, abi_ulong target_addr,
         errno = 0;
         return NULL;
     }
-    if (count > IOV_MAX) {
+    if (count < 0 || count > IOV_MAX) {
         errno = EINVAL;
         return NULL;
     }