Fix stack smashing when handling PR_GET_PDEATHSIG

The bug was triggered by the following code on aarch64-linux-user:

int main(void)
{
  int PDeathSig = 0;
  if (prctl(PR_GET_PDEATHSIG, &PDeathSig) == 0 && PDeathSig == SIGKILL)
    prctl(PR_GET_PDEATHSIG, 0);
  return (PDeathSig == SIGKILL);
}

Signed-off-by: Stephen Long <steplong@quicinc.com>
Signed-off-by: Ana Pazos <apazos@quicinc.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20200507130302.3684-1-steplong@quicinc.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 897d20c076ce1bb7193f5ce74c09da22e14c0a4f..3e0f14f2e67fcfbc1ad2768d4bf0892930cf3b80 100644 (file)
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -10703,7 +10703,7 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
             int deathsig;
             ret = get_errno(prctl(arg1, &deathsig, arg3, arg4, arg5));
             if (!is_error(ret) && arg2
-                && put_user_ual(deathsig, arg2)) {
+                && put_user_s32(deathsig, arg2)) {
                 return -TARGET_EFAULT;
             }
             return ret;