[v1] Linux user for 5.2 patches

[PULL 1/8] Fix stack smashing when handling PR_GET_PDEATHSIG

Laurent Vivier posted 8 patches 5 years ago

Diff against v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1
Download mbox

Maintainers: Jiaxun Yang <jiaxun.yang@flygoat.com>, "Philippe Mathieu-Daudé" <f4bug@amsat.org>, Laurent Vivier <laurent@vivier.eu>, Aurelien Jarno <aurelien@aurel32.net>, Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>, Max Filippov <jcmvbkbc@gmail.com>

There is a newer version of this series

Expand all Fold all

[PULL 1/8] Fix stack smashing when handling PR_GET_PDEATHSIG

Posted by Laurent Vivier 5 years ago

From: Stephen Long <steplong@quicinc.com>

The bug was triggered by the following code on aarch64-linux-user:

int main(void)
{
  int PDeathSig = 0;
  if (prctl(PR_GET_PDEATHSIG, &PDeathSig) == 0 && PDeathSig == SIGKILL)
    prctl(PR_GET_PDEATHSIG, 0);
  return (PDeathSig == SIGKILL);
}

Signed-off-by: Stephen Long <steplong@quicinc.com>
Signed-off-by: Ana Pazos <apazos@quicinc.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20200507130302.3684-1-steplong@quicinc.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 897d20c076ce..3e0f14f2e67f 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -10703,7 +10703,7 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
             int deathsig;
             ret = get_errno(prctl(arg1, &deathsig, arg3, arg4, arg5));
             if (!is_error(ret) && arg2
-                && put_user_ual(deathsig, arg2)) {
+                && put_user_s32(deathsig, arg2)) {
                 return -TARGET_EFAULT;
             }
             return ret;
-- 
2.26.2