The kernel checks that the maxevents parameter to epoll_wait
is non-negative and not larger than EP_MAX_EVENTS. Add this
check to our implementation, so that:
* we fail these cases EINVAL rather than EFAULT
* we don't pass negative or overflowing values to the
lock_user() size calculation
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
int maxevents = arg3;
int timeout = arg4;
+ if (maxevents <= 0 || maxevents > TARGET_EP_MAX_EVENTS) {
+ ret = -TARGET_EINVAL;
+ break;
+ }
+
target_ep = lock_user(VERIFY_WRITE, arg2,
maxevents * sizeof(struct target_epoll_event), 1);
if (!target_ep) {
abi_uint events;
target_epoll_data_t data;
} TARGET_EPOLL_PACKED;
+
+#define TARGET_EP_MAX_EVENTS (INT_MAX / sizeof(struct target_epoll_event))
+
#endif
struct target_rlimit64 {
uint64_t rlim_cur;