diff mbox

[PULL,v3,10/22] linux-user: Dereference Pointer Argument to ipc/semctl Sys Call

Message ID 5d2fa8ebb4dae0057ed9baab617971dcd5ea493f.1408712881.git.riku.voipio@linaro.org
State New
Headers show

Commit Message

Riku Voipio Aug. 22, 2014, 1:24 p.m. UTC 
From: Tom Musta <tommusta@gmail.com>

When the ipc system call is used to wrap a semctl system call,
the ptr argument to ipc needs to be dereferenced prior to passing
it to the semctl handler.  This is because the fourth argument to
semctl is a union and not a pointer to a union.

Signed-off-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
---
 linux-user/syscall.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
diff mbox

Patch

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index fba7fd2..08fdd94 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3140,9 +3140,15 @@  static abi_long do_ipc(unsigned int call, int first,
         ret = get_errno(semget(first, second, third));
         break;
 
-    case IPCOP_semctl:
-        ret = do_semctl(first, second, third, (union target_semun)(abi_ulong) ptr);
+    case IPCOP_semctl: {
+        /* The semun argument to semctl is passed by value, so dereference the
+         * ptr argument. */
+        abi_ulong atptr;
+        get_user_ual(atptr, (abi_ulong)ptr);
+        ret = do_semctl(first, second, third,
+                (union target_semun)(abi_ulong) atptr);
         break;
+    }
 
     case IPCOP_msgget:
         ret = get_errno(msgget(first, second));