linux-user: Check for bad event numbers in epoll_wait

The kernel checks that the maxevents parameter to epoll_wait is non-negative and not larger than EP_MAX_EVENTS. Add this check to our implementation, so that: * we fail these cases EINVAL rather than EFAULT * we don't pass negative or overflowing values to the lock_user() size calculation Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
2024-07-22 10:55:31 +00:00 · 2016-07-18 15:35:59 +01:00 · 2016-07-18 15:35:59 +01:00 · 2ba7fae3bd
parent 700fa58e4b
commit 2ba7fae3bd
2 changed files with 8 additions and 0 deletions
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@ -11501,6 +11501,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
        int maxevents = arg3;
        int timeout = arg4;

+        if (maxevents <= 0 || maxevents > TARGET_EP_MAX_EVENTS) {
+            ret = -TARGET_EINVAL;
+            break;
+        }
+
        target_ep = lock_user(VERIFY_WRITE, arg2,
                              maxevents * sizeof(struct target_epoll_event), 1);
        if (!target_ep) {
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@ -2585,6 +2585,9 @@ struct target_epoll_event {
    abi_uint events;
    target_epoll_data_t data;
 } TARGET_EPOLL_PACKED;
+
+#define TARGET_EP_MAX_EVENTS (INT_MAX / sizeof(struct target_epoll_event))
+
 #endif
 struct target_rlimit64 {
    uint64_t rlim_cur;