On 2/10/23 13:18, Warner Losh wrote:
+abi_long do_freebsd_sysctl(CPUArchState *env, abi_ulong namep, int32_t namelen,
+ abi_ulong oldp, abi_ulong oldlenp, abi_ulong newp, abi_ulong newlen)
+{
+ abi_long ret;
+ void *hnamep, *holdp = NULL, *hnewp = NULL;
+ size_t holdlen;
+ abi_ulong oldlen = 0;
+ int32_t *snamep = g_malloc(sizeof(int32_t) * namelen), *p, *q, i;
+
+ if (oldlenp) {
+ if (get_user_ual(oldlen, oldlenp)) {
+ return -TARGET_EFAULT;
+ }
+ }
You need to check for write early. Either access_ok, or lock_user.
+ for (p = hnamep, q = snamep, i = 0; i < namelen; p++, i++) {
+ *q++ = tswap32(*p);
+ }
Why the inconsistent increments?
+ unlock_user(holdp, oldp, holdlen);
Usually we don't want writeback on error.
r~
