From 396bef4b3846bf4e80a2bee38e9a2d8554d0f251 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Wed, 22 Aug 2012 13:55:55 +0200 Subject: arm-semi: don't leak 1KB user string lock buffer upon TARGET_SYS_OPEN Always call unlock_user before returning. Signed-off-by: Jim Meyering Signed-off-by: Anthony Liguori --- target-arm/arm-semi.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'target-arm') diff --git a/target-arm/arm-semi.c b/target-arm/arm-semi.c index 2495206..73bde58 100644 --- a/target-arm/arm-semi.c +++ b/target-arm/arm-semi.c @@ -194,18 +194,19 @@ uint32_t do_arm_semihosting(CPUARMState *env) if (!(s = lock_user_string(ARG(0)))) /* FIXME - should this error code be -TARGET_EFAULT ? */ return (uint32_t)-1; - if (ARG(1) >= 12) + if (ARG(1) >= 12) { + unlock_user(s, ARG(0), 0); return (uint32_t)-1; + } if (strcmp(s, ":tt") == 0) { - if (ARG(1) < 4) - return STDIN_FILENO; - else - return STDOUT_FILENO; + int result_fileno = ARG(1) < 4 ? STDIN_FILENO : STDOUT_FILENO; + unlock_user(s, ARG(0), 0); + return result_fileno; } if (use_gdb_syscalls()) { gdb_do_syscall(arm_semi_cb, "open,%s,%x,1a4", ARG(0), (int)ARG(2)+1, gdb_open_modeflags[ARG(1)]); - return env->regs[0]; + ret = env->regs[0]; } else { ret = set_swi_errno(ts, open(s, open_modeflags[ARG(1)], 0644)); } -- cgit v1.1