linux-user: Range check the nfds argument to ppoll syscall

Do an initial range check on the ppoll syscall's nfds argument, to avoid possible overflow in the calculation of the lock_user() size argument. The host kernel will later apply the rather lower limit based on RLIMIT_NOFILE as appropriate. Signed-off-by: N Peter Maydell <peter.maydell@linaro.org> Signed-off-by: N Riku Voipio <riku.voipio@linaro.org>

linux-user: Range check the nfds argument to ppoll syscall
Do an initial range check on the ppoll syscall's nfds argument, to avoid possible overflow in the calculation of the lock_user() size argument. The host kernel will later apply the rather lower limit based on RLIMIT_NOFILE as appropriate. Signed-off-by: N Peter Maydell <peter.maydell@linaro.org> Signed-off-by: N Riku Voipio <riku.voipio@linaro.org>
ce9c139d · Peter Maydell · Riku Voipio · 2ba7fae3 · ce9c139d
隐藏空白更改
内联并排

Showing with 5 addition and 0 deletion

linux-user/syscall.c linux-user/syscall.c +5 -0

未找到文件。
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -9661,6 +9661,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
            pfd = NULL;
            target_pfd = NULL;
            if (nfds) {
+                if (nfds > (INT_MAX / sizeof(struct target_pollfd))) {
+                    ret = -TARGET_EINVAL;
+                    break;
+                }
+
                target_pfd = lock_user(VERIFY_WRITE, arg1,
                                       sizeof(struct target_pollfd) * nfds, 1);
                if (!target_pfd) {