kern/68765: [mmap] a little data can be stored beyond EOF.
KOIE Hidetaka
koie at suri.co.jp
Wed Jan 30 01:30:03 UTC 2008
The following reply was made to PR kern/68765; it has been noted by GNATS.
From: KOIE Hidetaka <koie at suri.co.jp>
To: bug-followup at FreeBSD.org
Cc: kmacy at FreeBSD.org
Subject: Re: kern/68765: [mmap] a little data can be stored beyond EOF.
Date: Wed, 30 Jan 2008 10:28:43 +0900 (JST)
Message-Id: <200711180820.lAI8KAB0057218 at freefall.freebsd.org>
Date: Sun, 18 Nov 2007 08:20:10 GMT
From: kmacy at FreeBSD.org
Subject: Re: kern/68765: [mmap] a little data can be stored beyon..
| Synopsis: [mmap] a little data can be stored beyond EOF.
|
| State-Changed-From-To: open->feedback
| State-Changed-By: kmacy
| State-Changed-When: Sun Nov 18 08:19:22 UTC 2007
| State-Changed-Why:
|
| Does this still occur? If so please mail your test case inline.
|
| http://www.freebsd.org/cgi/query-pr.cgi?pr=68765
|
Yes.
koie at guriandgura% uname -a
FreeBSD guriandgura 8.0-CURRENT FreeBSD 8.0-CURRENT #2: Fri Nov 16 14:33:17 JST 2007 koie at guriandgura:/usr/obj/usr/src/sys/GURIANDGURA amd64
koie at guriandgura% cd /tmp
koie at guriandgura% df /tmp
Filesystem 1024-blocks Used Avail Capacity Mounted on
tank/tmp 1305033600 128 1305033472 0% /tmp <==== /tmp is ZFS now.
koie at guriandgura% cat -n hole.c
1 #include <assert.h>
2 #include <stdio.h>
3 #include <stdlib.h>
4 #include <string.h>
5 #include <fcntl.h>
6 #include <sys/types.h>
7 #include <sys/mman.h>
8 #include <unistd.h>
9
10 int PAGESIZE;
11
12 #define FILE "empty.dat"
13 #define SECRET_OFF 1000
14 int ordinary_size;
15
16 int
17 w()
18 {
19 int rc = -1;
20 int fd;
21
22 // write a ordinary data nomally
23 if ((fd = open(FILE, O_RDWR|O_CREAT|O_TRUNC, 0600)) < 0) {
24 perror("open");
25 goto out;
26 }
27 char buf[] = "TEST";
28 if (write(fd, buf, sizeof buf) != sizeof buf) {
29 perror("write");
30 goto out;
31 }
32 ordinary_size = lseek(fd, 0, SEEK_CUR);
33
34 // put a hidden data beyond EOF
35 char *addr = mmap(0, PAGESIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
36 if (addr == MAP_FAILED) {
37 perror("mmap");
38 goto out;
39 }
40 assert (ordinary_size < SECRET_OFF);
41 strcpy(addr+SECRET_OFF, "SECRET");
42
43 // finalize
44 if (close(fd) < 0) {
45 perror("close");
46 goto out;
47 }
48 if (munmap(addr, PAGESIZE) < 0) {
49 perror("munmap");
50 goto out;
51 }
52 rc = 0;
53 out:
54 return rc;
55 }
56
57 int
58 r()
59 {
60 int rc = -1;
61 int fd;
62 int n;
63 char buf[PAGESIZE];
64 char *addr;
65
66 // using read normally, get a ordinary data.
67 if ((fd = open(FILE, O_RDONLY)) < 0) {
68 perror("open");
69 goto out;
70 }
71 if ((n = read(fd, buf, sizeof buf)) < 0) {
72 perror("read");
73 goto out;
74 }
75 printf("read n=%d buf=<%s>\n", n, buf);
76
77 // using mmap, extract a hidden data.
78 addr = mmap(0, PAGESIZE, PROT_READ, MAP_PRIVATE, fd, 0);
79 if (addr == MAP_FAILED) {
80 perror("mmap");
81 goto out;
82 }
83 printf("SECRET_OFF=<%s>\n", addr+SECRET_OFF);
84
85 // finalize
86 if (close(fd) < 0) {
87 perror("close");
88 goto out;
89 }
90 if (munmap(addr, PAGESIZE) < 0) {
91 perror("munmap");
92 goto out;
93 }
94 rc = 0;
95 out:
96 return rc;
97 }
98
99 int
100 main()
101 {
102 PAGESIZE = sysconf(_SC_PAGESIZE);
103 if (w() < 0)
104 goto out;
105 if (r() < 0)
106 goto out;
107 #if 1
108 /* erase */
109 truncate(FILE, ordinary_size+1);
110 truncate(FILE, ordinary_size);
111 #endif
112 if (r() < 0)
113 goto out;
114 out:
115 exit(0);
116 }
koie at guriandgura% cc -o hole hole.c
koie at guriandgura% ./hole
read n=5 buf=<TEST>
SECRET_OFF=<SECRET> <=== "SECRET" is put beyond EOF.
read n=5 buf=<TEST>
SECRET_OFF=<> <=== "SECRET" is zero-filled by truncate().
koie at guriandgura% cd /tmp.ufs
koie at guriandgura% df /tmp.ufs <=== test on UFS2.
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/ad4s2e 507630 320244 146776 69% /tmp.ufs
koie at guriandgura% /tmp/hole
read n=5 buf=<TEST>
SECRET_OFF=<SECRET>
read n=5 buf=<TEST>
SECRET_OFF=<>
koie at guriandgura%
--
KOIE Hidetaka / koie at suri.co.jp / SURIGIKEN Co.,LTD.
More information about the freebsd-bugs
mailing list