mcexec: copy a pathname string of open(2) safely

When a open system call request is delegated, mcexec will check whether a path name is known one such as "/proc/meminfo" and "/proc/cpuinfo". During this check, if mcexec causes a SIGSEGV or SIGBUS signal, mcexec will begin a loop, because mcexec has a signal handler which returns simply.
2014-03-28 13:19:36 +09:00
parent 583c9355cd
commit da81cd2d1d
1 changed files with 11 additions and 4 deletions
--- a/executer/user/mcexec.c
+++ b/executer/user/mcexec.c
@ -959,7 +959,6 @@ kill_thread(unsigned long cpu)
 	}
 }

-#if 0
 static long do_strncpy_from_user(int fd, void *dest, void *src, unsigned long n)
 {
 	struct strncpy_from_user_desc desc;
@ -978,7 +977,6 @@ static long do_strncpy_from_user(int fd, void *dest, void *src, unsigned long n)

 	return desc.result;
 }
-#endif

 #define SET_ERR(ret) if (ret == -1) ret = -errno

@ -990,6 +988,7 @@ int main_loop(int fd, int cpu, pthread_mutex_t *lock)
 	int sig;
 	int term;
 	struct timeval tv;
+	char pathbuf[PATH_MAX];

 	w.cpu = cpu;
 	w.pid = getpid();
@ -1008,9 +1007,17 @@ int main_loop(int fd, int cpu, pthread_mutex_t *lock)

 		switch (w.sr.number) {
 		case __NR_open:
-			__dprintf("open: %s\n", (char *)w.sr.args[0]);
+			ret = do_strncpy_from_user(fd, pathbuf, (void *)w.sr.args[0], PATH_MAX);
+			if (ret >= PATH_MAX) {
+				ret = -ENAMETOOLONG;
+			}
+			if (ret < 0) {
+				do_syscall_return(fd, cpu, ret, 0, 0, 0, 0);
+				break;
+			}
+			__dprintf("open: %s\n", pathbuf);

-			fn = (char *)w.sr.args[0];
+			fn = pathbuf;
 			if(!strcmp(fn, "/proc/meminfo")){
 				fn = "/admin/fs/attached/files/proc/meminfo";
 			}