fix dangling pointers in x32 syscall timespec fixup code

the lifetime of compound literals is the block in which they appear.
the temporary struct __timespec_kernel objects created as compound
literals no longer existed at the time their addresses were passed to
the kernel.

diff --git a/arch/x32/src/syscall_cp_fixup.c b/arch/x32/src/syscall_cp_fixup.c
index 07d39b527d7b3547516bf06f18ce223319fb1993..deb01ee9a5ebefcb753ec1392058308a3f412755 100644 (file)
--- a/arch/x32/src/syscall_cp_fixup.c
+++ b/arch/x32/src/syscall_cp_fixup.c
@@ -9,14 +9,18 @@ long __syscall_cp_internal(volatile void*, long long, long long, long long, long
 struct __timespec { long long tv_sec; long tv_nsec; };
 struct __timespec_kernel { long long tv_sec; long long tv_nsec; };
 #define __tsc(X) ((struct __timespec*)(unsigned long)(X))
-#define __fixup(X) do { if(X) X = (unsigned long) (&(struct __timespec_kernel) \
-                   { .tv_sec = __tsc(X)->tv_sec, .tv_nsec = __tsc(X)->tv_nsec}); } while(0)
+#define __fixup(X) do { if(X) { \
+       ts->tv_sec = __tsc(X)->tv_sec; \
+       ts->tv_nsec = __tsc(X)->tv_nsec; \
+       (X) = (unsigned long)ts; } } while(0)
 
 #ifdef SHARED
 __attribute__((__visibility__("hidden")))
 #endif
 long __syscall_cp_asm (volatile void * foo, long long n, long long a1, long long a2, long long a3,
-                            long long a4, long long a5, long long a6) {
+                            long long a4, long long a5, long long a6)
+{
+       struct __timespec_kernel ts[1];
        switch (n) {
        case SYS_mq_timedsend: case SYS_mq_timedreceive: case SYS_pselect6:
                __fixup(a5);

diff --git a/arch/x32/syscall_arch.h b/arch/x32/syscall_arch.h
index af67fe3fc28bfad40a9acece0b7a2eb543a03d0a..344da03c9a49947f4db0fa2ce2665e8aa597070a 100644 (file)
--- a/arch/x32/syscall_arch.h
+++ b/arch/x32/syscall_arch.h
@@ -6,8 +6,10 @@ typedef long long syscall_arg_t;
 struct __timespec { long long tv_sec; long tv_nsec; };
 struct __timespec_kernel { long long tv_sec; long long tv_nsec; };
 #define __tsc(X) ((struct __timespec*)(unsigned long)(X))
-#define __fixup(X) do { if(X) X = (unsigned long) (&(struct __timespec_kernel) \
-                   { .tv_sec = __tsc(X)->tv_sec, .tv_nsec = __tsc(X)->tv_nsec}); } while(0)
+#define __fixup(X) do { if(X) { \
+       ts->tv_sec = __tsc(X)->tv_sec; \
+       ts->tv_nsec = __tsc(X)->tv_nsec; \
+       (X) = (unsigned long)ts; } } while(0)
 #define __fixup_case_2 \
        case SYS_nanosleep: \
                __fixup(a1); break; \
@@ -17,10 +19,13 @@ struct __timespec_kernel { long long tv_sec; long long tv_nsec; };
        case SYS_clock_nanosleep: case SYS_rt_sigtimedwait: case SYS_ppoll: \
                __fixup(a3); break; \
        case SYS_utimensat: \
-               if(a3) a3 = (unsigned long) ((struct __timespec_kernel[2]) { \
-               [0] = {.tv_sec = __tsc(a3)[0].tv_sec, .tv_nsec = __tsc(a3)[0].tv_nsec}, \
-               [1] = {.tv_sec = __tsc(a3)[1].tv_sec, .tv_nsec = __tsc(a3)[1].tv_nsec}, \
-               }); break;
+               if(a3) { \
+                       ts[0].tv_sec = __tsc(a3)[0].tv_sec; \
+                       ts[0].tv_nsec = __tsc(a3)[0].tv_nsec; \
+                       ts[1].tv_sec = __tsc(a3)[1].tv_sec; \
+                       ts[1].tv_nsec = __tsc(a3)[1].tv_nsec; \
+                       a3 = (unsigned long)ts; \
+               } break;
 #define __fixup_case_4 \
        case SYS_futex: \
                if((a2 & (~128 /* FUTEX_PRIVATE_FLAG */)) == 0 /* FUTEX_WAIT */) __fixup(a4); break;
@@ -45,7 +50,7 @@ static __inline long __syscall1(long long n, long long a1)
 static __inline long __syscall2(long long n, long long a1, long long a2)
 {
        unsigned long ret;
-       struct __timespec *ts2 = 0;
+       struct __timespec_kernel ts[1];
        switch (n) {
                __fixup_case_2;
        }
@@ -57,6 +62,7 @@ static __inline long __syscall2(long long n, long long a1, long long a2)
 static __inline long __syscall3(long long n, long long a1, long long a2, long long a3)
 {
        unsigned long ret;
+       struct __timespec_kernel ts[2];
        switch (n) {
                __fixup_case_2;
                __fixup_case_3;
@@ -71,6 +77,7 @@ static __inline long __syscall4(long long n, long long a1, long long a2, long lo
 {
        unsigned long ret;
        register long long a4 __asm__("r10") = a4_;
+       struct __timespec_kernel ts[2];
        switch (n) {
                __fixup_case_2;
                __fixup_case_3;
@@ -87,6 +94,7 @@ static __inline long __syscall5(long long n, long long a1, long long a2, long lo
        unsigned long ret;
        register long long a4 __asm__("r10") = a4_;
        register long long a5 __asm__("r8") = a5_;
+       struct __timespec_kernel ts[2];
        switch (n) {
                __fixup_case_2;
                __fixup_case_3;
@@ -105,6 +113,7 @@ static __inline long __syscall6(long long n, long long a1, long long a2, long lo
        register long long a4 __asm__("r10") = a4_;
        register long long a5 __asm__("r8") = a5_;
        register long long a6 __asm__("r9") = a6_;
+       struct __timespec_kernel ts[2];
        switch (n) {
                __fixup_case_2;
                __fixup_case_3;