From: Stephen Long <steplong@quicinc.com>
Date: Thu, 7 May 2020 13:03:02 +0000 (-0700)
Subject: Fix stack smashing when handling PR_GET_PDEATHSIG
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=d9a5eba477e7ed7183a6d417755790d6ecf22cad;p=qemu.git

Fix stack smashing when handling PR_GET_PDEATHSIG

The bug was triggered by the following code on aarch64-linux-user:

int main(void)
{
  int PDeathSig = 0;
  if (prctl(PR_GET_PDEATHSIG, &PDeathSig) == 0 && PDeathSig == SIGKILL)
    prctl(PR_GET_PDEATHSIG, 0);
  return (PDeathSig == SIGKILL);
}

Signed-off-by: Stephen Long <steplong@quicinc.com>
Signed-off-by: Ana Pazos <apazos@quicinc.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20200507130302.3684-1-steplong@quicinc.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 897d20c076..3e0f14f2e6 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -10703,7 +10703,7 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
             int deathsig;
             ret = get_errno(prctl(arg1, &deathsig, arg3, arg4, arg5));
             if (!is_error(ret) && arg2
-                && put_user_ual(deathsig, arg2)) {
+                && put_user_s32(deathsig, arg2)) {
                 return -TARGET_EFAULT;
             }
             return ret;