linux-user: Dereference Pointer Argument to ipc/semctl Sys Call

When the ipc system call is used to wrap a semctl system call, the ptr argument to ipc needs to be dereferenced prior to passing it to the semctl handler. This is because the fourth argument to semctl is a union and not a pointer to a union. Signed-off-by: Tom Musta <tommusta@gmail.com> Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
qemu · Aug 22, 2014 · 5d2fa8e · 5d2fa8e
1 parent 0352734
commit 5d2fa8e
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
@@ -3140,9 +3140,15 @@ static abi_long do_ipc(unsigned int call, int first,
         ret = get_errno(semget(first, second, third));
         break;
 
-    case IPCOP_semctl:
-        ret = do_semctl(first, second, third, (union target_semun)(abi_ulong) ptr);
+    case IPCOP_semctl: {
+        /* The semun argument to semctl is passed by value, so dereference the
+         * ptr argument. */
+        abi_ulong atptr;
+        get_user_ual(atptr, (abi_ulong)ptr);
+        ret = do_semctl(first, second, third,
+                (union target_semun)(abi_ulong) atptr);
         break;
+    }
 
     case IPCOP_msgget:
         ret = get_errno(msgget(first, second));