1. Patchew
  2. QEMU
  3. [Qemu-devel] [PATCH v5 00/10] linux-user: strace improvements
  4. View patch

[Qemu-devel] [PATCH v5 01/10] linux-user/syscall: Verify recvfrom(addr) is user-writable

Philippe Mathieu-Daudé posted 10 patches 7 years ago
Only 8 patches received!
There is a newer version of this series
[Qemu-devel] [PATCH v5 01/10] linux-user/syscall: Verify recvfrom(addr) is user-writable
Posted by Philippe Mathieu-Daudé 7 years ago 
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-By: Guido Günther <agx@sigxcpu.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
---
 linux-user/syscall.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index ae3c0dfef7..ea503381aa 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2968,6 +2968,11 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags,
             ret = -TARGET_EINVAL;
             goto fail;
         }
+        if (!access_ok(VERIFY_WRITE, target_addr, addrlen)) {
+            ret = -TARGET_EFAULT;
+            goto fail;
+        }
+
         addr = alloca(addrlen);
         ret = get_errno(safe_recvfrom(fd, host_msg, len, flags,
                                       addr, &addrlen));
-- 
2.19.1
[Qemu-devel] [PATCH v5 01/10] linux-user/syscall: Verify recvfrom(addr) is user-writable
Posted by Laurent Vivier 7 years ago 
On 11/10/2018 00:36, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> Tested-By: Guido Günther <agx@sigxcpu.org>
> Reviewed-by: Laurent Vivier <laurent@vivier.eu>
> ---
>  linux-user/syscall.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index ae3c0dfef7..ea503381aa 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -2968,6 +2968,11 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags,
>              ret = -TARGET_EINVAL;
>              goto fail;
>          }
> +        if (!access_ok(VERIFY_WRITE, target_addr, addrlen)) {
> +            ret = -TARGET_EFAULT;
> +            goto fail;
> +        }
> +
>          addr = alloca(addrlen);
>          ret = get_errno(safe_recvfrom(fd, host_msg, len, flags,
>                                        addr, &addrlen));
> 

This one breaks the test recvfrom01 from the LTP testsuite
ltp-full-20180515 archive.

recvfrom01    3  TFAIL  :  recvfrom01.c:170: invalid socket buffer ;
returned -1 (expected 0), errno 14 (expected 88)

The testcase is with an invalid socket number (-1) and an invalid
addrlen pointer.

Thanks,
Laurent

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.