On Sat, Feb 11, 2023 at 4:09 PM Richard Henderson <
richard.hender...@linaro.org> wrote:
> On 2/10/23 13:18, Warner Losh wrote:
> > +abi_long do_freebsd_sysctl(CPUArchState *env, abi_ulong namep, int32_t
> namelen,
> > + abi_ulong oldp, abi_ulong oldlenp, abi_ulong newp, abi_ulong
> newlen)
> > +{
> > + abi_long ret;
> > + void *hnamep, *holdp = NULL, *hnewp = NULL;
> > + size_t holdlen;
> > + abi_ulong oldlen = 0;
> > + int32_t *snamep = g_malloc(sizeof(int32_t) * namelen), *p, *q, i;
> > +
> > + if (oldlenp) {
> > + if (get_user_ual(oldlen, oldlenp)) {
> > + return -TARGET_EFAULT;
> > + }
> > + }
>
> You need to check for write early. Either access_ok, or lock_user.
>
> > + for (p = hnamep, q = snamep, i = 0; i < namelen; p++, i++) {
> > + *q++ = tswap32(*p);
> > + }
>
> Why the inconsistent increments?
>
no reason... Fixed.
> > + unlock_user(holdp, oldp, holdlen);
>
> Usually we don't want writeback on error.
>
Indeed. Fixed as well.. in the other fixes for error handling.
Warner
>
> r~
>
