Auto merge of rust-lang#3824 - tiif:maxeventeinval, r=RalfJung

Set EINVAL for epoll_wait maxevent value 0

Fixes rust-lang#3821

Author: bors

src/tools/miri/src/shims/unix/linux/epoll.rs

@@ -402,18 +402,23 @@ pub trait EvalContextExt<'tcx>: crate::MiriInterpCxExt<'tcx> {
         let this = self.eval_context_mut();
 
         let epfd = this.read_scalar(epfd)?.to_i32()?;
+        let events = this.read_immediate(events_op)?;
         let maxevents = this.read_scalar(maxevents)?.to_i32()?;
-        let event = this.deref_pointer_as(
-            events_op,
-            this.libc_array_ty_layout("epoll_event", maxevents.try_into().unwrap()),
-        )?;
         let timeout = this.read_scalar(timeout)?.to_i32()?;
 
-        if epfd <= 0 {
+        if epfd <= 0 || maxevents <= 0 {
             let einval = this.eval_libc("EINVAL");
             this.set_last_error(einval)?;
             return Ok(Scalar::from_i32(-1));
         }
+
+        // This needs to come after the maxevents value check, or else maxevents.try_into().unwrap()
+        // will fail.
+        let events = this.deref_pointer_as(
+            &events,
+            this.libc_array_ty_layout("epoll_event", maxevents.try_into().unwrap()),
+        )?;
+
         // FIXME: Implement blocking support
         if timeout != 0 {
             throw_unsup_format!("epoll_wait: timeout value can only be 0");
@@ -429,7 +434,7 @@ pub trait EvalContextExt<'tcx>: crate::MiriInterpCxExt<'tcx> {
         let ready_list = epoll_file_description.get_ready_list();
         let mut ready_list = ready_list.borrow_mut();
         let mut num_of_events: i32 = 0;
-        let mut array_iter = this.project_array_fields(&event)?;
+        let mut array_iter = this.project_array_fields(&events)?;
 
         while let Some((epoll_key, epoll_return)) = ready_list.pop_first() {
             // If the file description is fully close, the entry for corresponding FdID in the

src/tools/miri/tests/pass-dep/libc/libc-epoll.rs

@@ -19,6 +19,7 @@ fn main() {
     test_epoll_ctl_del();
     test_pointer();
     test_two_same_fd_in_same_epoll_instance();
+    test_epoll_wait_maxevent_zero();
 }
 
 // Using `as` cast since `EPOLLET` wraps around
@@ -528,3 +529,16 @@ fn test_no_notification_for_unregister_flag() {
     let expected_value = u64::try_from(fds[0]).unwrap();
     check_epoll_wait::<8>(epfd, &[(expected_event, expected_value)]);
 }
+
+fn test_epoll_wait_maxevent_zero() {
+    // Create an epoll instance.
+    let epfd = unsafe { libc::epoll_create1(0) };
+    assert_ne!(epfd, -1);
+    // It is ok to use uninitialised pointer here because it will error out before the
+    // pointer actually get accessed.
+    let array_ptr = MaybeUninit::<libc::epoll_event>::uninit().as_mut_ptr();
+    let res = unsafe { libc::epoll_wait(epfd, array_ptr, 0, 0) };
+    let e = std::io::Error::last_os_error();
+    assert_eq!(e.raw_os_error(), Some(libc::EINVAL));
+    assert_eq!(res, -1);
+}