From: Peter Maydell <peter.mayd...@linaro.org>
Do an initial range check on the ppoll syscall's nfds argument,
to avoid possible overflow in the calculation of the lock_user()
size argument. The host kernel will later apply the rather lower
limit based on RLIMIT_NOFILE as appropriate.
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Signed-off-by: Riku Voipio <riku.voi...@linaro.org>
---
linux-user/syscall.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index eecccbb..7a50a57 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -9661,6 +9661,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
arg1,
pfd = NULL;
target_pfd = NULL;
if (nfds) {
+ if (nfds > (INT_MAX / sizeof(struct target_pollfd))) {
+ ret = -TARGET_EINVAL;
+ break;
+ }
+
target_pfd = lock_user(VERIFY_WRITE, arg1,
sizeof(struct target_pollfd) * nfds, 1);
if (!target_pfd) {
--
2.1.4
