target_to_host_bitmask truncates the bitmask to int.  Check that the upper
half of the flags do not have any bits set.

Signed-off-by: Andreas Schwab <schwab@suse.de>
---
 linux-user/syscall.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 8469b81878..667aea6a03 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8822,6 +8822,10 @@ static int do_openat2(CPUArchState *cpu_env, abi_long dirfd,
         }
         return ret;
     }
+    if (tswap64(how.flags) >> 32) {
+        return -TARGET_EINVAL;
+    }
+
     pathname = lock_user_string(guest_pathname);
     if (!pathname) {
         return -TARGET_EFAULT;
-- 
2.53.0


-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."

On 2/10/26 10:26, Andreas Schwab wrote:
> target_to_host_bitmask truncates the bitmask to int.  Check that the upper
> half of the flags do not have any bits set.
> 
> Signed-off-by: Andreas Schwab <schwab@suse.de>
> ---
>   linux-user/syscall.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 8469b81878..667aea6a03 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -8822,6 +8822,10 @@ static int do_openat2(CPUArchState *cpu_env, abi_long dirfd,
>           }
>           return ret;
>       }
> +    if (tswap64(how.flags) >> 32) {
> +        return -TARGET_EINVAL;
> +    }

Seems a little hackish. Basically target_to_host_bitmask()
could be extended to handle 64bit values too.
But as long as all values which we test fits into 32-bits,
I think this is a valid patch.

Reviewed-by: Helge Deller <deller@gmx.de>

Helge

> +
>       pathname = lock_user_string(guest_pathname);
>       if (!pathname) {
>           return -TARGET_EFAULT;