On 27 August 2015 at 15:50, Jonathan Neuschäfer <j.neuschae...@gmx.net> wrote:
> In the current implementation, __target_cmsg_nxthdr compares a pointer
> derived from target_cmsg against the msg_control field of target_msgh
> (through subtraction). This failed for me when emulating i386 code
> under x86_64, because pointers in the host address space and pointers in
> the guest address space were not the same. This patch adds a g2h()
> address translation around the msg_control value.
>
> Signed-off-by: Jonathan Neuschäfer <j.neuschae...@gmx.net>
> ---
> linux-user/syscall_defs.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
> index edd5f3c..1eaaf2a 100644
> --- a/linux-user/syscall_defs.h
> +++ b/linux-user/syscall_defs.h
> @@ -248,7 +248,7 @@ __target_cmsg_nxthdr (struct target_msghdr *__mhdr,
> struct target_cmsghdr *__cms
>
> __ptr = (struct target_cmsghdr *)((unsigned char *) __cmsg
> + TARGET_CMSG_ALIGN
> (tswapal(__cmsg->cmsg_len)));
> - if ((unsigned long)((char *)(__ptr+1) - (char
> *)(size_t)tswapal(__mhdr->msg_control))
> + if ((unsigned long)((char *)(__ptr+1) - (char
> *)g2h(tswapal(__mhdr->msg_control)))
> > tswapal(__mhdr->msg_controllen))
> /* No more entries. */
> return (struct target_cmsghdr *)0;
This definitely looks like a bug, but I don't think this is
a sufficient fix, because if DEBUG_REMAP is defined then the
locked-memory which the target_cmsghdr* is in is not a
simple g2h() away from the host pointer.
What you need to do is change target_to_host_cmsg and
host_to_target_cmsg so that when at the top of the function
we do:
target_cmsg_addr = tswapal(target_msgh->msg_control);
target_cmsg = lock_user(VERIFY_READ, target_cmsg_addr, msg_controllen, 1);
we save that target_cmsg into some variable (eg target_msg_control),
and pass it into the TARGET_CMSG_NXTHDR macro. That host pointer
is the one we need to use on the right side of the subtraction.
thanks
-- PMM
