From: Peter Maydell <peter.mayd...@linaro.org>
The epoll event array which epoll_wait() allocates has a size
determined by the guest which could potentially be quite large.
Use g_try_new() rather than alloca() so that we can fail more
cleanly if the guest hands us an oversize value. (ENOMEM is
not a documented return value for epoll_wait() but in practice
some kernel configurations can return it -- see for instance
sys_oabi_epoll_wait() on ARM.)
This rearrangement includes fixing a bug where we were
incorrectly passing a negative length to unlock_user() in
the error-exit codepath.
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Signed-off-by: Riku Voipio <riku.voi...@linaro.org>
---
linux-user/syscall.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index bbdf316..fb56fed 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -11796,7 +11796,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
arg1,
goto efault;
}
- ep = alloca(maxevents * sizeof(struct epoll_event));
+ ep = g_try_new(struct epoll_event, maxevents);
+ if (!ep) {
+ unlock_user(target_ep, arg2, 0);
+ ret = -TARGET_ENOMEM;
+ break;
+ }
switch (num) {
#if defined(TARGET_NR_epoll_pwait)
@@ -11814,8 +11819,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
arg1,
target_set = lock_user(VERIFY_READ, arg5,
sizeof(target_sigset_t), 1);
if (!target_set) {
- unlock_user(target_ep, arg2, 0);
- goto efault;
+ ret = -TARGET_EFAULT;
+ break;
}
target_to_host_sigset(set, target_set);
unlock_user(target_set, arg5, 0);
@@ -11843,8 +11848,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
arg1,
target_ep[i].events = tswap32(ep[i].events);
target_ep[i].data.u64 = tswap64(ep[i].data.u64);
}
+ unlock_user(target_ep, arg2,
+ ret * sizeof(struct target_epoll_event));
+ } else {
+ unlock_user(target_ep, arg2, 0);
}
- unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event));
+ g_free(ep);
break;
}
#endif
--
2.1.4
