migration/multifd: Protect accesses to migration_threads

[mirror_qemu.git] / linux-user / uaccess.c

diff --git a/linux-user/uaccess.c b/linux-user/uaccess.c
index ed50437566f9d0bd47b039cc384ca247926c355e..425cbf677f760351a5d70ac3d6fe9f8197c85694 100644 (file)
--- a/linux-user/uaccess.c
+++ b/linux-user/uaccess.c
@@ -1,60 +1,97 @@
 /* User memory access */
-#include <stdio.h>
-#include <string.h>
+#include "qemu/osdep.h"
+#include "qemu/cutils.h"
 
 #include "qemu.h"
+#include "user-internals.h"
+
+void *lock_user(int type, abi_ulong guest_addr, ssize_t len, bool copy)
+{
+    void *host_addr;
+
+    guest_addr = cpu_untagged_addr(thread_cpu, guest_addr);
+    if (!access_ok_untagged(type, guest_addr, len)) {
+        return NULL;
+    }
+    host_addr = g2h_untagged(guest_addr);
+#ifdef DEBUG_REMAP
+    if (copy) {
+        host_addr = g_memdup(host_addr, len);
+    } else {
+        host_addr = g_malloc0(len);
+    }
+#endif
+    return host_addr;
+}
+
+#ifdef DEBUG_REMAP
+void unlock_user(void *host_ptr, abi_ulong guest_addr, ssize_t len)
+{
+    void *host_ptr_conv;
+
+    if (!host_ptr) {
+        return;
+    }
+    host_ptr_conv = g2h(thread_cpu, guest_addr);
+    if (host_ptr == host_ptr_conv) {
+        return;
+    }
+    if (len > 0) {
+        memcpy(host_ptr_conv, host_ptr, len);
+    }
+    g_free(host_ptr);
+}
+#endif
+
+void *lock_user_string(abi_ulong guest_addr)
+{
+    ssize_t len = target_strlen(guest_addr);
+    if (len < 0) {
+        return NULL;
+    }
+    return lock_user(VERIFY_READ, guest_addr, len + 1, 1);
+}
 
 /* copy_from_user() and copy_to_user() are usually used to copy data
  * buffers between the target and host.  These internally perform
  * locking/unlocking of the memory.
  */
-abi_long copy_from_user(void *hptr, abi_ulong gaddr, size_t len)
+int copy_from_user(void *hptr, abi_ulong gaddr, ssize_t len)
 {
-    abi_long ret = 0;
-    void *ghptr;
+    int ret = 0;
+    void *ghptr = lock_user(VERIFY_READ, gaddr, len, 1);
 
-    if ((ghptr = lock_user(VERIFY_READ, gaddr, len, 1))) {
+    if (ghptr) {
         memcpy(hptr, ghptr, len);
         unlock_user(ghptr, gaddr, 0);
-    } else
+    } else {
         ret = -TARGET_EFAULT;
-
+    }
     return ret;
 }
 
-
-abi_long copy_to_user(abi_ulong gaddr, void *hptr, size_t len)
+int copy_to_user(abi_ulong gaddr, void *hptr, ssize_t len)
 {
-    abi_long ret = 0;
-    void *ghptr;
+    int ret = 0;
+    void *ghptr = lock_user(VERIFY_WRITE, gaddr, len, 0);
 
-    if ((ghptr = lock_user(VERIFY_WRITE, gaddr, len, 0))) {
+    if (ghptr) {
         memcpy(ghptr, hptr, len);
-       unlock_user(ghptr, gaddr, len);
-    } else
+        unlock_user(ghptr, gaddr, len);
+    } else {
         ret = -TARGET_EFAULT;
+    }
 
     return ret;
 }
 
-/* XXX: use host strnlen if available ? */
-static int qemu_strnlen(const char *s, int max_len)
-{
-    int i;
-    for(i = 0; i < max_len; i++) {
-        if (s[i] == '\0')
-            break;
-    }
-    return i;
-}
-
 /* Return the length of a string in target memory or -TARGET_EFAULT if
    access error  */
-abi_long target_strlen(abi_ulong guest_addr1)
+ssize_t target_strlen(abi_ulong guest_addr1)
 {
     uint8_t *ptr;
     abi_ulong guest_addr;
-    int max_len, len;
+    size_t max_len, len;
 
     guest_addr = guest_addr1;
     for(;;) {
@@ -62,15 +99,16 @@ abi_long target_strlen(abi_ulong guest_addr1)
         ptr = lock_user(VERIFY_READ, guest_addr, max_len, 1);
         if (!ptr)
             return -TARGET_EFAULT;
-        len = qemu_strnlen(ptr, max_len);
+        len = qemu_strnlen((const char *)ptr, max_len);
         unlock_user(ptr, guest_addr, 0);
         guest_addr += len;
         /* we don't allow wrapping or integer overflow */
-        if (guest_addr == 0 || 
-            (guest_addr - guest_addr1) > 0x7fffffff)
+        if (guest_addr == 0 || (guest_addr - guest_addr1) > 0x7fffffff) {
             return -TARGET_EFAULT;
-        if (len != max_len)
+        }
+        if (len != max_len) {
             break;
+        }
     }
     return guest_addr - guest_addr1;
 }