diff mbox

[PULL,07/26] linux-user: Range check the nfds argument to ppoll syscall

Message ID ce9c139d93db03e464341385976606b7568b768f.1474546244.git.riku.voipio@linaro.org
State New
Headers show

Commit Message

Riku Voipio Sept. 22, 2016, 12:13 p.m. UTC 
From: Peter Maydell <peter.maydell@linaro.org>

Do an initial range check on the ppoll syscall's nfds argument,
to avoid possible overflow in the calculation of the lock_user()
size argument. The host kernel will later apply the rather lower
limit based on RLIMIT_NOFILE as appropriate.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
---
 linux-user/syscall.c | 5 +++++
 1 file changed, 5 insertions(+)
diff mbox

Patch

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index eecccbb..7a50a57 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -9661,6 +9661,11 @@  abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
             pfd = NULL;
             target_pfd = NULL;
             if (nfds) {
+                if (nfds > (INT_MAX / sizeof(struct target_pollfd))) {
+                    ret = -TARGET_EINVAL;
+                    break;
+                }
+
                 target_pfd = lock_user(VERIFY_WRITE, arg1,
                                        sizeof(struct target_pollfd) * nfds, 1);
                 if (!target_pfd) {