target_to_host_bitmask truncates the bitmask to int. Check that the upper half of the flags do not have any bits set.
Signed-off-by: Andreas Schwab <[email protected]> --- linux-user/syscall.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 8469b81878..667aea6a03 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -8822,6 +8822,10 @@ static int do_openat2(CPUArchState *cpu_env, abi_long dirfd, } return ret; } + if (tswap64(how.flags) >> 32) { + return -TARGET_EINVAL; + } + pathname = lock_user_string(guest_pathname); if (!pathname) { return -TARGET_EFAULT; -- 2.53.0 -- Andreas Schwab, SUSE Labs, [email protected] GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different."
