misc/169608: the mmap(), mprotect(), and munmap() functions get
fucked by some corner-case arguments
deeptech71 at gmail.com
deeptech71 at gmail.com
Mon Jul 2 18:40:03 UTC 2012
The following reply was made to PR misc/169608; it has been noted by GNATS.
From: deeptech71 at gmail.com
To: bug-followup at FreeBSD.org
Cc:
Subject: Re: misc/169608: the mmap(), mprotect(), and munmap() functions get
fucked by some corner-case arguments
Date: Mon, 02 Jul 2012 20:42:32 +0200
This is a multi-part message in MIME format.
--------------050908070503090907040505
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
--------------050908070503090907040505
Content-Type: text/plain; charset=UTF-8;
name="xs.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="xs.c"
#include <sys/mman.h>
#include <stdlib.h>
#include <stdio.h>
void test1(unsigned num, unsigned total, int func, void *addr, size_t size)
{
switch (func)
{
case 1:
{
printf("[%u/%u] mmap(%p, %zu, PROT_READ | PROT_WRITE, MAP_ANON, -1, 0)... ", num, total, addr, size);
fflush(stdout);
void *m = mmap(addr, size, PROT_READ | PROT_WRITE, MAP_ANON, -1, 0);
if (m == MAP_FAILED)
perror(NULL);
else
{
printf("success: got %p; writing here... ", m);
fflush(stdout);
*((int *)m) = 1337;
printf("success!\n");
}
}
break;
case 2:
{
printf("[%u/%u] mprotect(%p, %zu, PROT_NONE)... ", num, total, addr, size);
fflush(stdout);
int ret = mprotect(addr, size, PROT_NONE);
if (ret)
perror(NULL);
else
printf("success!\n");
}
break;
case 3:
{
printf("[%u/%u] munmap(%p, %zu)... ", num, total, addr, size);
fflush(stdout);
int ret = munmap(addr, size);
if (ret)
perror(NULL);
else
printf("success!\n");
}
break;
}
}
#define ARRAY_LEN(x) (sizeof(x) / sizeof(*(x)))
#define PAGE_SIZE 4096
int main(int argc, char *argv[])
{
void *addrs[] = { NULL, (void *)0xBEEF, (void *)0xDEADBEEF, (void *)-PAGE_SIZE, (void *)-1 };
size_t sizes[] = { (size_t)0, (size_t)PAGE_SIZE, (size_t)2000000000, (size_t)4000000000, (size_t)-PAGE_SIZE, (size_t)-1 };
int func = atoi(argv[1]);
int num = atoi(argv[2]);
test1(num, ARRAY_LEN(addrs) * ARRAY_LEN(sizes), func, addrs[(num - 1) / ARRAY_LEN(sizes)], sizes[(num - 1) % ARRAY_LEN(sizes)]);
return 0;
}
--------------050908070503090907040505--
More information about the freebsd-bugs
mailing list