From: Andreas Schwab <[email protected]> target_to_host_bitmask truncates the bitmask to int. Check that the upper half of the flags do not have any bits set.
Signed-off-by: Andreas Schwab <[email protected]> Reviewed-by: Helge Deller <[email protected]> Signed-off-by: Helge Deller <[email protected]> --- linux-user/syscall.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 99e1ed97d9..064bc604c9 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -8831,6 +8831,10 @@ static int do_openat2(CPUArchState *cpu_env, abi_long dirfd, } return ret; } + if (tswap64(how.flags) >> 32) { + return -TARGET_EINVAL; + } + pathname = lock_user_string(guest_pathname); if (!pathname) { return -TARGET_EFAULT; -- 2.53.0
