Google Git
Sign in
qemu / qemu / 04c95f4da7f657a0bef17d115d0a5ca2ac0e2d22^! / . / linux-user / syscall.c
commit04c95f4da7f657a0bef17d115d0a5ca2ac0e2d22[log] [tgz]
authorPeter Maydell <peter.maydell@linaro.org>Mon Jul 18 15:36:00 2016 +0100
committerRiku Voipio <riku.voipio@linaro.org>Fri Oct 21 15:19:41 2016 +0300
tree736a7cadc4ba8bec87fa81acc274ceeb152df7c4
parent434f286bbc1570b204ac2a450d92890578594773 [diff] [blame]
linux-user: Don't use alloca() for epoll_wait's epoll event array

The epoll event array which epoll_wait() allocates has a size
determined by the guest which could potentially be quite large.
Use g_try_new() rather than alloca() so that we can fail more
cleanly if the guest hands us an oversize value. (ENOMEM is
not a documented return value for epoll_wait() but in practice
some kernel configurations can return it -- see for instance
sys_oabi_epoll_wait() on ARM.)

This rearrangement includes fixing a bug where we were
incorrectly passing a negative length to unlock_user() in
the error-exit codepath.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 31143b3..932d0ec 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c

@@ -11777,7 +11777,12 @@
             goto efault;
         }
 
-        ep = alloca(maxevents * sizeof(struct epoll_event));
+        ep = g_try_new(struct epoll_event, maxevents);
+        if (!ep) {
+            unlock_user(target_ep, arg2, 0);
+            ret = -TARGET_ENOMEM;
+            break;
+        }
 
         switch (num) {
 #if defined(TARGET_NR_epoll_pwait)
@@ -11795,8 +11800,8 @@
                 target_set = lock_user(VERIFY_READ, arg5,
                                        sizeof(target_sigset_t), 1);
                 if (!target_set) {
-                    unlock_user(target_ep, arg2, 0);
-                    goto efault;
+                    ret = -TARGET_EFAULT;
+                    break;
                 }
                 target_to_host_sigset(set, target_set);
                 unlock_user(target_set, arg5, 0);
@@ -11824,8 +11829,12 @@
                 target_ep[i].events = tswap32(ep[i].events);
                 target_ep[i].data.u64 = tswap64(ep[i].data.u64);
             }
+            unlock_user(target_ep, arg2,
+                        ret * sizeof(struct target_epoll_event));
+        } else {
+            unlock_user(target_ep, arg2, 0);
         }
-        unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event));
+        g_free(ep);
         break;
     }
 #endif