[Bug 195882] Local DoS from unprivileged user

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195882

Mark Millard <marklmi26-fbsd at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |marklmi26-fbsd at yahoo.com

--- Comment #2 from Mark Millard <marklmi26-fbsd at yahoo.com> ---
                mem = mmap(NULL, write_size, (PROT_READ | PROT_WRITE),
                    (MAP_SHARED | MAP_NOCORE), fd, (i * write_size));
. . .
                //msync(mem, file_size, MS_SYNC);
                //posix_madvise(mem, file_size, MADV_FREE);
                munmap(mem, file_size);

write_size for len for mmap but file_size for len for
munmap?

Quoting the man page for munmap:

     The munmap() system call will fail if:

     [EINVAL]           The addr argument was not page aligned, the len argu-
                        ment was zero or negative, or some part of the region
                        being unmapped is outside the valid address range for
                        a process.

As near as I can tell the munmap calls were returning
EINVAL and possibly not actually doing the unmap at all.

A correct len for the munmap would be needed in order
for the munmap calls to actually guarantee to unmap
without leaving any pages mapped.

The denial of service could just have the munmap
commented out, like the msync and posix_madvise
are. munmap freeing RAM (or not) is a separate issue.

You probably would need distinct submittals for the
two issues if both really apply.

-- 
You are receiving this mail because:
You are the assignee for the bug.