@@ -3135,9 +3135,15 @@ static abi_long do_ipc(unsigned int call, int first,
ret = get_errno(semget(first, second, third));
break;
- case IPCOP_semctl:
- ret = do_semctl(first, second, third, (union target_semun)(abi_ulong) ptr);
+ case IPCOP_semctl: {
+ /* The semun argument to semctl is passed by value, so dereference the
+ * ptr argument. */
+ abi_ulong atptr;
+ get_user_ual(atptr, (abi_ulong)ptr);
+ ret = do_semctl(first, second, third,
+ (union target_semun)(abi_ulong) atptr);
break;
+ }
case IPCOP_msgget:
ret = get_errno(msgget(first, second));
When the ipc system call is used to wrap a semctl system call, the ptr argument to ipc needs to be dereferenced prior to passing it to the semctl handler. This is because the fourth argument to semctl is a union and not a pointer to a union. Signed-off-by: Tom Musta <tommusta@gmail.com> --- V2: This is unchanged from V1. I *did* review the QEMU, glibc and kernel code looking for some problems but did not find anything. I also did fairly comprehesive testing of semctl on 4 targets (ppc-linux-user, ppc64-linux-user, ppc64le-linux-user, x86_64-linux-user) on 3 different host platforms (x86-64 Ubuntu, PPC64 RHEL 6 (BE) and PPC64 Ubuntu 14.04 (LE)); this provided a broad coverage of co-endian and cross endian situations. linux-user/syscall.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-)