From: Tom Musta <tommusta@gmail.com>
Date: Tue, 12 Aug 2014 18:53:33 +0000 (-0500)
Subject: linux-user: Dereference Pointer Argument to ipc/semctl Sys Call
X-Git-Tag: v2.2.0-rc0~165^2~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d2fa8ebb4dae0057ed9baab617971dcd5ea493f;p=thirdparty%2Fqemu.git

linux-user: Dereference Pointer Argument to ipc/semctl Sys Call

When the ipc system call is used to wrap a semctl system call,
the ptr argument to ipc needs to be dereferenced prior to passing
it to the semctl handler.  This is because the fourth argument to
semctl is a union and not a pointer to a union.

Signed-off-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
---

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index fba7fd28cb2..08fdd940143 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3140,9 +3140,15 @@ static abi_long do_ipc(unsigned int call, int first,
         ret = get_errno(semget(first, second, third));
         break;
 
-    case IPCOP_semctl:
-        ret = do_semctl(first, second, third, (union target_semun)(abi_ulong) ptr);
+    case IPCOP_semctl: {
+        /* The semun argument to semctl is passed by value, so dereference the
+         * ptr argument. */
+        abi_ulong atptr;
+        get_user_ual(atptr, (abi_ulong)ptr);
+        ret = do_semctl(first, second, third,
+                (union target_semun)(abi_ulong) atptr);
         break;
+    }
 
     case IPCOP_msgget:
         ret = get_errno(msgget(first, second));