From 7f047de18cf6cd51915d4fdbe1a7e66c38b45e98 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Tue, 31 Oct 2017 13:53:52 +0100 Subject: [PATCH 01/15] linux-user: Restrict usage of sa_restorer Reading and writing to an sa_restorer member that isn't supposed to exist corrupts user memory. Introduce TARGET_ARCH_HAS_SA_RESTORER, similar to the kernel's __ARCH_HAS_SA_RESTORER. Reported-by: Helge Deller Signed-off-by: Richard Henderson Signed-off-by: Riku Voipio --- linux-user/signal.c | 4 ++-- linux-user/syscall_defs.h | 13 +++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/linux-user/signal.c b/linux-user/signal.c index 7a238aaea1..cf35473671 100644 --- a/linux-user/signal.c +++ b/linux-user/signal.c @@ -777,7 +777,7 @@ int do_sigaction(int sig, const struct target_sigaction *act, if (oact) { __put_user(k->_sa_handler, &oact->_sa_handler); __put_user(k->sa_flags, &oact->sa_flags); -#if !defined(TARGET_MIPS) +#ifdef TARGET_ARCH_HAS_SA_RESTORER __put_user(k->sa_restorer, &oact->sa_restorer); #endif /* Not swapped. */ @@ -787,7 +787,7 @@ int do_sigaction(int sig, const struct target_sigaction *act, /* FIXME: This is not threadsafe. */ __get_user(k->_sa_handler, &act->_sa_handler); __get_user(k->sa_flags, &act->sa_flags); -#if !defined(TARGET_MIPS) +#ifdef TARGET_ARCH_HAS_SA_RESTORER __get_user(k->sa_restorer, &act->sa_restorer); #endif /* To be swapped in target_to_host_sigset. */ diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h index 450960bb54..e366183419 100644 --- a/linux-user/syscall_defs.h +++ b/linux-user/syscall_defs.h @@ -445,6 +445,7 @@ int do_sigaction(int sig, const struct target_sigaction *act, #define TARGET_SA_RESTART 2u #define TARGET_SA_NODEFER 0x20u #define TARGET_SA_RESETHAND 4u +#define TARGET_ARCH_HAS_SA_RESTORER 1 #elif defined(TARGET_MIPS) #define TARGET_SA_NOCLDSTOP 0x00000001 #define TARGET_SA_NOCLDWAIT 0x00010000 @@ -483,6 +484,10 @@ int do_sigaction(int sig, const struct target_sigaction *act, #define TARGET_SA_RESTORER 0x04000000 #endif +#ifdef TARGET_SA_RESTORER +#define TARGET_ARCH_HAS_SA_RESTORER 1 +#endif + #if defined(TARGET_ALPHA) #define TARGET_SIGHUP 1 @@ -718,19 +723,27 @@ struct target_sigaction { abi_ulong _sa_handler; #endif target_sigset_t sa_mask; +#ifdef TARGET_ARCH_HAS_SA_RESTORER + /* ??? This is always present, but ignored unless O32. */ + abi_ulong sa_restorer; +#endif }; #else struct target_old_sigaction { abi_ulong _sa_handler; abi_ulong sa_mask; abi_ulong sa_flags; +#ifdef TARGET_ARCH_HAS_SA_RESTORER abi_ulong sa_restorer; +#endif }; struct target_sigaction { abi_ulong _sa_handler; abi_ulong sa_flags; +#ifdef TARGET_ARCH_HAS_SA_RESTORER abi_ulong sa_restorer; +#endif target_sigset_t sa_mask; }; #endif From 2da6e76ccaf5c5aad4192fddaa2062480ad82345 Mon Sep 17 00:00:00 2001 From: Helge Deller Date: Tue, 31 Oct 2017 13:53:53 +0100 Subject: [PATCH 02/15] linux-user/hppa: Fix TARGET_SA_* defines Reviewed-by: Laurent Vivier Signed-off-by: Helge Deller Signed-off-by: Richard Henderson Signed-off-by: Riku Voipio --- linux-user/syscall_defs.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h index e366183419..38339ecb9a 100644 --- a/linux-user/syscall_defs.h +++ b/linux-user/syscall_defs.h @@ -473,6 +473,14 @@ int do_sigaction(int sig, const struct target_sigaction *act, #define TARGET_SA_RESETHAND 0x00000010 #define TARGET_SA_NOCLDWAIT 0x00000020 /* not supported yet */ #define TARGET_SA_SIGINFO 0x00000040 +#elif defined(TARGET_HPPA) +#define TARGET_SA_ONSTACK 0x00000001 +#define TARGET_SA_RESETHAND 0x00000004 +#define TARGET_SA_NOCLDSTOP 0x00000008 +#define TARGET_SA_SIGINFO 0x00000010 +#define TARGET_SA_NODEFER 0x00000020 +#define TARGET_SA_RESTART 0x00000040 +#define TARGET_SA_NOCLDWAIT 0x00000080 #else #define TARGET_SA_NOCLDSTOP 0x00000001 #define TARGET_SA_NOCLDWAIT 0x00000002 /* not supported yet */ From fc37dcfe1a049090e72fd3f4810f0b221cc5399c Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Tue, 31 Oct 2017 13:53:54 +0100 Subject: [PATCH 03/15] linux-user/hppa: Fix cpu_clone_regs By failing to return from the syscall in the child, the child issues another clone syscall and hilarity ensues. Signed-off-by: Richard Henderson Signed-off-by: Riku Voipio --- linux-user/hppa/target_cpu.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/linux-user/hppa/target_cpu.h b/linux-user/hppa/target_cpu.h index 1a5cecad3c..e50522eae9 100644 --- a/linux-user/hppa/target_cpu.h +++ b/linux-user/hppa/target_cpu.h @@ -24,7 +24,11 @@ static inline void cpu_clone_regs(CPUHPPAState *env, target_ulong newsp) if (newsp) { env->gr[30] = newsp; } + /* Indicate child in return value. */ env->gr[28] = 0; + /* Return from the syscall. */ + env->iaoq_f = env->gr[31]; + env->iaoq_b = env->gr[31] + 4; } static inline void cpu_set_tls(CPUHPPAState *env, target_ulong newtls) From 92afb153103c38c1ccc9d4c34512cf1767e676c5 Mon Sep 17 00:00:00 2001 From: Helge Deller Date: Tue, 31 Oct 2017 13:53:55 +0100 Subject: [PATCH 04/15] linux-user/hppa: Fix typo for TARGET_NR_epoll_wait Reviewed-by: Laurent Vivier Signed-off-by: Helge Deller Message-Id: <20170311100543.GA29669@ls3530.fritz.box> Signed-off-by: Richard Henderson Signed-off-by: Riku Voipio --- linux-user/hppa/syscall_nr.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux-user/hppa/syscall_nr.h b/linux-user/hppa/syscall_nr.h index 0f396fa1e2..55bdf71d50 100644 --- a/linux-user/hppa/syscall_nr.h +++ b/linux-user/hppa/syscall_nr.h @@ -228,7 +228,7 @@ #define TARGET_NR_lookup_dcookie 223 #define TARGET_NR_epoll_create 224 #define TARGET_NR_epoll_ctl 225 -#define TARGET_NR_epill_wait 226 +#define TARGET_NR_epoll_wait 226 #define TARGET_NR_remap_file_pages 227 #define TARGET_NR_semtimedop 228 #define TARGET_NR_mq_open 229 From e65be6a7cfe5c991d97ef259c6a88e99ca65e875 Mon Sep 17 00:00:00 2001 From: Helge Deller Date: Tue, 31 Oct 2017 13:53:56 +0100 Subject: [PATCH 05/15] linux-user/hppa: Fix TARGET_MAP_TYPE TARGET_MAP_TYPE needs to be 0x03 instead of 0x0f on the hppa architecture, otherwise it conflicts with MAP_FIXED which is 0x04. Signed-off-by: Helge Deller Signed-off-by: Richard Henderson Message-ID: <20170311175019.GA7195@ls3530.fritz.box> Signed-off-by: Riku Voipio --- linux-user/syscall_defs.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h index 38339ecb9a..a6ed30d70e 100644 --- a/linux-user/syscall_defs.h +++ b/linux-user/syscall_defs.h @@ -1336,7 +1336,11 @@ struct target_winsize { /* Common */ #define TARGET_MAP_SHARED 0x01 /* Share changes */ #define TARGET_MAP_PRIVATE 0x02 /* Changes are private */ -#define TARGET_MAP_TYPE 0x0f /* Mask for type of mapping */ +#if defined(TARGET_HPPA) +#define TARGET_MAP_TYPE 0x03 /* Mask for type of mapping */ +#else +#define TARGET_MAP_TYPE 0x0f /* Mask for type of mapping */ +#endif /* Target specific */ #if defined(TARGET_MIPS) From 3d60c84deaa11826ff0bc7599aeb73cad54c4fbf Mon Sep 17 00:00:00 2001 From: Helge Deller Date: Tue, 31 Oct 2017 13:53:57 +0100 Subject: [PATCH 06/15] linux-user/hppa: Fix TARGET_F_RDLCK, TARGET_F_WRLCK, TARGET_F_UNLCK Signed-off-by: Helge Deller Signed-off-by: Richard Henderson Message-ID: <20170311175019.GA7195@ls3530.fritz.box> Signed-off-by: Riku Voipio --- linux-user/syscall_defs.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h index a6ed30d70e..daa2a57398 100644 --- a/linux-user/syscall_defs.h +++ b/linux-user/syscall_defs.h @@ -2361,6 +2361,9 @@ struct target_statfs64 { #define TARGET_F_SETOWN 24 /* for sockets. */ #define TARGET_F_GETOWN 23 /* for sockets. */ #elif defined(TARGET_HPPA) +#define TARGET_F_RDLCK 1 +#define TARGET_F_WRLCK 2 +#define TARGET_F_UNLCK 3 #define TARGET_F_GETLK 5 #define TARGET_F_SETLK 6 #define TARGET_F_SETLKW 7 From 541e1690420d293c1b09eeb128fac74e98cbef7a Mon Sep 17 00:00:00 2001 From: Helge Deller Date: Tue, 31 Oct 2017 13:53:58 +0100 Subject: [PATCH 07/15] linux-user: Handle TARGET_MAP_STACK and TARGET_MAP_HUGETLB Add the missing defines and for TARGET_MAP_STACK and TARGET_MAP_HUGETLB for alpha, mips, ppc, x86, hppa. Fix the mmap_flags translation table to translate MAP_HUGETLB between host and target architecture, and to drop MAP_STACK. Signed-off-by: Helge Deller Message-Id: <20170311183016.GA20514@ls3530.fritz.box> [rth: Drop MAP_STACK instead of translating it, since it is ignored in the kernel anyway. Fix tabs to spaces.] Signed-off-by: Richard Henderson Signed-off-by: Riku Voipio --- linux-user/syscall.c | 31 ++++++++++++++++++++----------- linux-user/syscall_defs.h | 10 ++++++++++ 2 files changed, 30 insertions(+), 11 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index d4497dec5d..8047bf3aac 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -5872,17 +5872,26 @@ static const StructEntry struct_termios_def = { }; static bitmask_transtbl mmap_flags_tbl[] = { - { TARGET_MAP_SHARED, TARGET_MAP_SHARED, MAP_SHARED, MAP_SHARED }, - { TARGET_MAP_PRIVATE, TARGET_MAP_PRIVATE, MAP_PRIVATE, MAP_PRIVATE }, - { TARGET_MAP_FIXED, TARGET_MAP_FIXED, MAP_FIXED, MAP_FIXED }, - { TARGET_MAP_ANONYMOUS, TARGET_MAP_ANONYMOUS, MAP_ANONYMOUS, MAP_ANONYMOUS }, - { TARGET_MAP_GROWSDOWN, TARGET_MAP_GROWSDOWN, MAP_GROWSDOWN, MAP_GROWSDOWN }, - { TARGET_MAP_DENYWRITE, TARGET_MAP_DENYWRITE, MAP_DENYWRITE, MAP_DENYWRITE }, - { TARGET_MAP_EXECUTABLE, TARGET_MAP_EXECUTABLE, MAP_EXECUTABLE, MAP_EXECUTABLE }, - { TARGET_MAP_LOCKED, TARGET_MAP_LOCKED, MAP_LOCKED, MAP_LOCKED }, - { TARGET_MAP_NORESERVE, TARGET_MAP_NORESERVE, MAP_NORESERVE, - MAP_NORESERVE }, - { 0, 0, 0, 0 } + { TARGET_MAP_SHARED, TARGET_MAP_SHARED, MAP_SHARED, MAP_SHARED }, + { TARGET_MAP_PRIVATE, TARGET_MAP_PRIVATE, MAP_PRIVATE, MAP_PRIVATE }, + { TARGET_MAP_FIXED, TARGET_MAP_FIXED, MAP_FIXED, MAP_FIXED }, + { TARGET_MAP_ANONYMOUS, TARGET_MAP_ANONYMOUS, + MAP_ANONYMOUS, MAP_ANONYMOUS }, + { TARGET_MAP_GROWSDOWN, TARGET_MAP_GROWSDOWN, + MAP_GROWSDOWN, MAP_GROWSDOWN }, + { TARGET_MAP_DENYWRITE, TARGET_MAP_DENYWRITE, + MAP_DENYWRITE, MAP_DENYWRITE }, + { TARGET_MAP_EXECUTABLE, TARGET_MAP_EXECUTABLE, + MAP_EXECUTABLE, MAP_EXECUTABLE }, + { TARGET_MAP_LOCKED, TARGET_MAP_LOCKED, MAP_LOCKED, MAP_LOCKED }, + { TARGET_MAP_NORESERVE, TARGET_MAP_NORESERVE, + MAP_NORESERVE, MAP_NORESERVE }, + { TARGET_MAP_HUGETLB, TARGET_MAP_HUGETLB, MAP_HUGETLB, MAP_HUGETLB }, + /* MAP_STACK had been ignored by the kernel for quite some time. + Recognize it for the target insofar as we do not want to pass + it through to the host. */ + { TARGET_MAP_STACK, TARGET_MAP_STACK, 0, 0 }, + { 0, 0, 0, 0 } }; #if defined(TARGET_I386) diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h index daa2a57398..bec3680b94 100644 --- a/linux-user/syscall_defs.h +++ b/linux-user/syscall_defs.h @@ -1353,6 +1353,8 @@ struct target_winsize { #define TARGET_MAP_NORESERVE 0x0400 /* don't check for reservations */ #define TARGET_MAP_POPULATE 0x10000 /* populate (prefault) pagetables */ #define TARGET_MAP_NONBLOCK 0x20000 /* do not block on IO */ +#define TARGET_MAP_STACK 0x40000 /* ignored */ +#define TARGET_MAP_HUGETLB 0x80000 /* create a huge page mapping */ #elif defined(TARGET_PPC) #define TARGET_MAP_FIXED 0x10 /* Interpret addr exactly */ #define TARGET_MAP_ANONYMOUS 0x20 /* don't use a file */ @@ -1363,6 +1365,8 @@ struct target_winsize { #define TARGET_MAP_NORESERVE 0x0040 /* don't check for reservations */ #define TARGET_MAP_POPULATE 0x8000 /* populate (prefault) pagetables */ #define TARGET_MAP_NONBLOCK 0x10000 /* do not block on IO */ +#define TARGET_MAP_STACK 0x20000 /* ignored */ +#define TARGET_MAP_HUGETLB 0x40000 /* create a huge page mapping */ #elif defined(TARGET_ALPHA) #define TARGET_MAP_ANONYMOUS 0x10 /* don't use a file */ #define TARGET_MAP_FIXED 0x100 /* Interpret addr exactly */ @@ -1373,6 +1377,8 @@ struct target_winsize { #define TARGET_MAP_NORESERVE 0x10000 /* no check for reservations */ #define TARGET_MAP_POPULATE 0x20000 /* pop (prefault) pagetables */ #define TARGET_MAP_NONBLOCK 0x40000 /* do not block on IO */ +#define TARGET_MAP_STACK 0x80000 /* ignored */ +#define TARGET_MAP_HUGETLB 0x100000 /* create a huge page mapping */ #elif defined(TARGET_HPPA) #define TARGET_MAP_ANONYMOUS 0x10 /* don't use a file */ #define TARGET_MAP_FIXED 0x04 /* Interpret addr exactly */ @@ -1383,6 +1389,8 @@ struct target_winsize { #define TARGET_MAP_NORESERVE 0x04000 /* no check for reservations */ #define TARGET_MAP_POPULATE 0x10000 /* pop (prefault) pagetables */ #define TARGET_MAP_NONBLOCK 0x20000 /* do not block on IO */ +#define TARGET_MAP_STACK 0x40000 /* ignored */ +#define TARGET_MAP_HUGETLB 0x80000 /* create a huge page mapping */ #else #define TARGET_MAP_FIXED 0x10 /* Interpret addr exactly */ #define TARGET_MAP_ANONYMOUS 0x20 /* don't use a file */ @@ -1393,6 +1401,8 @@ struct target_winsize { #define TARGET_MAP_NORESERVE 0x4000 /* don't check for reservations */ #define TARGET_MAP_POPULATE 0x8000 /* populate (prefault) pagetables */ #define TARGET_MAP_NONBLOCK 0x10000 /* do not block on IO */ +#define TARGET_MAP_STACK 0x20000 /* ignored */ +#define TARGET_MAP_HUGETLB 0x40000 /* create a huge page mapping */ #define TARGET_MAP_UNINITIALIZED 0x4000000 /* for anonymous mmap, memory could be uninitialized */ #endif From 8bf8e9df4a7d82c7a47cc961c9cdee1615595de0 Mon Sep 17 00:00:00 2001 From: James Clarke Date: Fri, 15 Sep 2017 20:33:13 +0100 Subject: [PATCH 08/15] linux-user/syscall.c: Handle SH4's exceptional alignment for p{read, write}64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://bugs.launchpad.net/qemu/+bug/1716767 Reviewed-by: Laurent Vivier Reviewed-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Tested-By: John Paul Adrian Glaubitz Signed-off-by: James Clarke Signed-off-by: Riku Voipio --- linux-user/syscall.c | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 8047bf3aac..9268c3ef69 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -671,18 +671,32 @@ static inline int next_free_host_timer(void) /* ARM EABI and MIPS expect 64bit types aligned even on pairs or registers */ #ifdef TARGET_ARM -static inline int regpairs_aligned(void *cpu_env) { +static inline int regpairs_aligned(void *cpu_env, int num) +{ return ((((CPUARMState *)cpu_env)->eabi) == 1) ; } #elif defined(TARGET_MIPS) && (TARGET_ABI_BITS == 32) -static inline int regpairs_aligned(void *cpu_env) { return 1; } +static inline int regpairs_aligned(void *cpu_env, int num) { return 1; } #elif defined(TARGET_PPC) && !defined(TARGET_PPC64) /* SysV AVI for PPC32 expects 64bit parameters to be passed on odd/even pairs * of registers which translates to the same as ARM/MIPS, because we start with * r3 as arg1 */ -static inline int regpairs_aligned(void *cpu_env) { return 1; } +static inline int regpairs_aligned(void *cpu_env, int num) { return 1; } +#elif defined(TARGET_SH4) +/* SH4 doesn't align register pairs, except for p{read,write}64 */ +static inline int regpairs_aligned(void *cpu_env, int num) +{ + switch (num) { + case TARGET_NR_pread64: + case TARGET_NR_pwrite64: + return 1; + + default: + return 0; + } +} #else -static inline int regpairs_aligned(void *cpu_env) { return 0; } +static inline int regpairs_aligned(void *cpu_env, int num) { return 0; } #endif #define ERRNO_TABLE_SIZE 1200 @@ -6870,7 +6884,7 @@ static inline abi_long target_truncate64(void *cpu_env, const char *arg1, abi_long arg3, abi_long arg4) { - if (regpairs_aligned(cpu_env)) { + if (regpairs_aligned(cpu_env, TARGET_NR_truncate64)) { arg2 = arg3; arg3 = arg4; } @@ -6884,7 +6898,7 @@ static inline abi_long target_ftruncate64(void *cpu_env, abi_long arg1, abi_long arg3, abi_long arg4) { - if (regpairs_aligned(cpu_env)) { + if (regpairs_aligned(cpu_env, TARGET_NR_ftruncate64)) { arg2 = arg3; arg3 = arg4; } @@ -10508,7 +10522,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, #endif #ifdef TARGET_NR_pread64 case TARGET_NR_pread64: - if (regpairs_aligned(cpu_env)) { + if (regpairs_aligned(cpu_env, num)) { arg4 = arg5; arg5 = arg6; } @@ -10518,7 +10532,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, unlock_user(p, arg2, ret); break; case TARGET_NR_pwrite64: - if (regpairs_aligned(cpu_env)) { + if (regpairs_aligned(cpu_env, num)) { arg4 = arg5; arg5 = arg6; } @@ -11288,7 +11302,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, arg6 = ret; #else /* 6 args: fd, offset (high, low), len (high, low), advice */ - if (regpairs_aligned(cpu_env)) { + if (regpairs_aligned(cpu_env, num)) { /* offset is in (3,4), len in (5,6) and advice in 7 */ arg2 = arg3; arg3 = arg4; @@ -11307,7 +11321,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, #ifdef TARGET_NR_fadvise64 case TARGET_NR_fadvise64: /* 5 args: fd, offset (high, low), len, advice */ - if (regpairs_aligned(cpu_env)) { + if (regpairs_aligned(cpu_env, num)) { /* offset is in (3,4), len in 5 and advice in 6 */ arg2 = arg3; arg3 = arg4; @@ -11420,7 +11434,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, #ifdef TARGET_NR_readahead case TARGET_NR_readahead: #if TARGET_ABI_BITS == 32 - if (regpairs_aligned(cpu_env)) { + if (regpairs_aligned(cpu_env, num)) { arg2 = arg3; arg3 = arg4; arg4 = arg5; From a4dd3d5172c951e05a7424f14c0f9372522b48f8 Mon Sep 17 00:00:00 2001 From: "Emilio G. Cota" Date: Wed, 18 Oct 2017 18:01:41 -0400 Subject: [PATCH 09/15] linux-user: fix 'finshed' typo in comment Signed-off-by: Emilio G. Cota Signed-off-by: Riku Voipio --- linux-user/syscall.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 9268c3ef69..84e123b67b 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -6258,7 +6258,7 @@ static void *clone_func(void *arg) pthread_mutex_lock(&info->mutex); pthread_cond_broadcast(&info->cond); pthread_mutex_unlock(&info->mutex); - /* Wait until the parent has finshed initializing the tls state. */ + /* Wait until the parent has finished initializing the tls state. */ pthread_mutex_lock(&clone_lock); pthread_mutex_unlock(&clone_lock); cpu_loop(env); From a8b154a637b586441bad42259a8a9b9619cd117c Mon Sep 17 00:00:00 2001 From: James Cowgill Date: Mon, 6 Nov 2017 18:03:51 +0000 Subject: [PATCH 10/15] linux-user: return EINVAL from prctl(PR_*_SECCOMP) If an application tries to install a seccomp filter using prctl(PR_SET_SECCOMP), the filter is likely for the target instead of the host architecture. This will probably cause qemu to be immediately killed when it executes another syscall. Prevent this from happening by returning EINVAL from both seccomp prctl calls. This is the error returned by the kernel when seccomp support is disabled. Fixes: https://bugs.launchpad.net/qemu/+bug/1726394 Reviewed-by: Laurent Vivier Signed-off-by: James Cowgill Signed-off-by: Riku Voipio --- linux-user/syscall.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 84e123b67b..f31b853bb7 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -10505,6 +10505,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, break; } #endif + case PR_GET_SECCOMP: + case PR_SET_SECCOMP: + /* Disable seccomp to prevent the target disabling syscalls we + * need. */ + ret = -TARGET_EINVAL; + break; default: /* Most prctl options have no pointer arguments */ ret = get_errno(prctl(arg1, arg2, arg3, arg4, arg5)); From f2d34df3c1a88a2cf86eb0afc88c369d799ae431 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 6 Nov 2017 18:33:23 +0000 Subject: [PATCH 11/15] linux-user/s390x: Mask si_addr for SIGSEGV MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For s390x, the address passed to a signal handler in the siginfo_t si_addr field is masked (in the kernel this is done in do_sigbus() and do_sigsegv() in arch/s390/mm/fault.c). Implement this architecture-specific oddity in linux-user. This is one of the issues described in https://bugs.launchpad.net/qemu/+bug/1705118 Reviewed-by: Laurent Vivier Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/main.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/linux-user/main.c b/linux-user/main.c index aa02f25b85..b6dd9efd2d 100644 --- a/linux-user/main.c +++ b/linux-user/main.c @@ -3238,6 +3238,10 @@ void cpu_loop(CPUAlphaState *env) #endif /* TARGET_ALPHA */ #ifdef TARGET_S390X + +/* s390x masks the fault address it reports in si_addr for SIGSEGV and SIGBUS */ +#define S390X_FAIL_ADDR_MASK -4096LL + void cpu_loop(CPUS390XState *env) { CPUState *cs = CPU(s390_env_get_cpu(env)); @@ -3294,7 +3298,7 @@ void cpu_loop(CPUS390XState *env) sig = TARGET_SIGSEGV; /* XXX: check env->error_code */ n = TARGET_SEGV_MAPERR; - addr = env->__excp_addr; + addr = env->__excp_addr & S390X_FAIL_ADDR_MASK; goto do_signal; case PGM_EXECUTE: case PGM_SPECIFICATION: From 15e692a6fc716f32976eea47946a4892e8ad7a3f Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 6 Nov 2017 18:33:24 +0000 Subject: [PATCH 12/15] linux-user/ppc: Report correct fault address for data faults For faults on loads and stores, ppc_cpu_handle_mmu_fault() in target/ppc/user_only_helper.c stores the offending address in env->spr[SPR_DAR]. Report this correctly to the guest in si_addr, rather than incorrectly using the address of the instruction that caused the fault. This fixes the test case in https://bugs.launchpad.net/qemu/+bug/1077116 for ppc, ppc64 and ppc64le. Reviewed-by: Laurent Vivier Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux-user/main.c b/linux-user/main.c index b6dd9efd2d..6286661bd3 100644 --- a/linux-user/main.c +++ b/linux-user/main.c @@ -1420,7 +1420,7 @@ void cpu_loop(CPUPPCState *env) info.si_code = TARGET_SEGV_MAPERR; break; } - info._sifields._sigfault._addr = env->nip; + info._sifields._sigfault._addr = env->spr[SPR_DAR]; queue_signal(env, info.si_signo, QEMU_SI_FAULT, &info); break; case POWERPC_EXCP_ISI: /* Instruction storage exception */ From 8d8cb956e0a679fcf0a8e24f1b2f34e038cdd48e Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 6 Nov 2017 18:33:25 +0000 Subject: [PATCH 13/15] linux-user/sparc: Put address for data faults where linux-user expects it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the user-mode-only version of sparc_cpu_handle_mmu_fault(), we must save the fault address for a data fault into the CPU state's mmu registers, because the code in linux-user/main.c expects to find it there in order to populate the si_addr field of the guest siginfo. Reviewed-by: Laurent Vivier Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- target/sparc/mmu_helper.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/target/sparc/mmu_helper.c b/target/sparc/mmu_helper.c index 126ea5e3ee..d5b6c1e48c 100644 --- a/target/sparc/mmu_helper.c +++ b/target/sparc/mmu_helper.c @@ -30,10 +30,18 @@ int sparc_cpu_handle_mmu_fault(CPUState *cs, vaddr address, int rw, int mmu_idx) { + SPARCCPU *cpu = SPARC_CPU(cs); + CPUSPARCState *env = &cpu->env; + if (rw & 2) { cs->exception_index = TT_TFAULT; } else { cs->exception_index = TT_DFAULT; +#ifdef TARGET_SPARC64 + env->dmmu.mmuregs[4] = address; +#else + env->mmuregs[4] = address; +#endif } return 1; } From 78bfef72fbf8705f002c5c57cf3f1d3b8e83399e Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 6 Nov 2017 18:33:26 +0000 Subject: [PATCH 14/15] linux-user: Handle rt_sigaction correctly for SPARC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SPARC is like Alpha in its handling of the rt_sigaction syscall: it takes an extra parameter 'restorer' which needs to be copied into the sa_restorer field of the sigaction struct. The order of the arguments differs slightly between SPARC and Alpha but the implementation is otherwise the same. (Compare the rt_sigaction() functions in arch/sparc/kernel/sys_sparc_64.c and arch/alpha/kernel/signal.c.) Note that this change is somewhat moot until SPARC acquires support for actually delivering RT signals. Reviewed-by: Laurent Vivier Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/syscall.c | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index f31b853bb7..11c9116c4a 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -8579,8 +8579,16 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, case TARGET_NR_rt_sigaction: { #if defined(TARGET_ALPHA) - struct target_sigaction act, oact, *pact = 0; + /* For Alpha and SPARC this is a 5 argument syscall, with + * a 'restorer' parameter which must be copied into the + * sa_restorer field of the sigaction struct. + * For Alpha that 'restorer' is arg5; for SPARC it is arg4, + * and arg5 is the sigsetsize. + * Alpha also has a separate rt_sigaction struct that it uses + * here; SPARC uses the usual sigaction struct. + */ struct target_rt_sigaction *rt_act; + struct target_sigaction act, oact, *pact = 0; if (arg4 != sizeof(target_sigset_t)) { ret = -TARGET_EINVAL; @@ -8606,18 +8614,29 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, unlock_user_struct(rt_act, arg3, 1); } #else +#ifdef TARGET_SPARC + target_ulong restorer = arg4; + target_ulong sigsetsize = arg5; +#else + target_ulong sigsetsize = arg4; +#endif struct target_sigaction *act; struct target_sigaction *oact; - if (arg4 != sizeof(target_sigset_t)) { + if (sigsetsize != sizeof(target_sigset_t)) { ret = -TARGET_EINVAL; break; } if (arg2) { - if (!lock_user_struct(VERIFY_READ, act, arg2, 1)) + if (!lock_user_struct(VERIFY_READ, act, arg2, 1)) { goto efault; - } else + } +#ifdef TARGET_SPARC + act->sa_restorer = restorer; +#endif + } else { act = NULL; + } if (arg3) { if (!lock_user_struct(VERIFY_WRITE, oact, arg3, 0)) { ret = -TARGET_EFAULT; From f516511ea84d8bb3395d6ea95a7c7b80dc2a05e9 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 7 Nov 2017 18:25:18 +0000 Subject: [PATCH 15/15] linux-user: Fix calculation of auxv length In commit 7c4ee5bcc82e643 we changed the order in which we construct the AUXV, but forgot to adjust the calculation of the length. The result is that we set info->auxv_len to a bogus and negative value, and then later on the code in open_self_auxv() gets confused and ends up presenting the guest with an empty file. Since we now have to calculate the auxv length up-front as part of figuring out how much we're going to put on the stack, set info->auxv_len then; this allows us to assert that we put the same number of entries into auxv as we pre-calculated, rather than merely having a comment saying we need to do that. Fixes: https://bugs.launchpad.net/qemu/+bug/1728116 Reviewed-by: Richard Henderson Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/elfload.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/linux-user/elfload.c b/linux-user/elfload.c index 3b857fbc9c..20f3d8c2c3 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -1732,6 +1732,8 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, #ifdef ELF_HWCAP2 size += 2; #endif + info->auxv_len = size * n; + size += envc + argc + 2; size += 1; /* argc itself */ size *= n; @@ -1760,7 +1762,6 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, put_user_ual(val, u_auxv); u_auxv += n; \ } while(0) - /* There must be exactly DLINFO_ITEMS entries here. */ #ifdef ARCH_DLINFO /* * ARCH_DLINFO must come first so platform specific code can enforce @@ -1768,6 +1769,9 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, */ ARCH_DLINFO; #endif + /* There must be exactly DLINFO_ITEMS entries here, or the assert + * on info->auxv_len will trigger. + */ NEW_AUX_ENT(AT_PHDR, (abi_ulong)(info->load_addr + exec->e_phoff)); NEW_AUX_ENT(AT_PHENT, (abi_ulong)(sizeof (struct elf_phdr))); NEW_AUX_ENT(AT_PHNUM, (abi_ulong)(exec->e_phnum)); @@ -1793,7 +1797,10 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, NEW_AUX_ENT (AT_NULL, 0); #undef NEW_AUX_ENT - info->auxv_len = u_argv - info->saved_auxv; + /* Check that our initial calculation of the auxv length matches how much + * we actually put into it. + */ + assert(info->auxv_len == u_auxv - info->saved_auxv); put_user_ual(argc, u_argc);