svn commit: r348843 - head/sys/vm

Bruce Evans brde at optusnet.com.au
Mon Jun 10 06:54:21 UTC 2019 

On Mon, 10 Jun 2019, Doug Moore wrote:

> Log:
>  There are times when a len==0 parameter to mmap is okay. But on a
>  32-bit machine, a len parameter just a few bytes short of 4G, rounded
>  up to a page boundary and hitting zero then, is not okay. Return
>  failure in that case.

Some overflows still occur.

The problem is not limited to 32-bit machines.  The first overflow is for
len parameter just a few bytes short of SIZE_MAX added to a page offset of
a few bytes.  This overflows to a small value.  Then rounding up to a page
boundary doesn't overflow, but gives 0 or PAGE_SIZE, so the new overflow
check doesn't work and overflow still occurs.

The second overflow is for a len parameter just a few bytes short of
SIZE_MAX with the first overflow not occurring (usually because the offset
is 0).  This is now detected.

>  Reported by: pho
>  Reviewed by: alc, kib (mentor)
>  Tested by: pho
>  Differential Revision: https://reviews.freebsd.org/D20580
>
> Modified:
>  head/sys/vm/vm_mmap.c
>
> Modified: head/sys/vm/vm_mmap.c
> ==============================================================================
> --- head/sys/vm/vm_mmap.c	Sun Jun  9 22:55:21 2019	(r348842)
> +++ head/sys/vm/vm_mmap.c	Mon Jun 10 03:07:10 2019	(r348843)
> @@ -257,7 +257,10 @@ kern_mmap(struct thread *td, uintptr_t addr0, size_t s
>
> 	/* Adjust size for rounding (on both ends). */
> 	size += pageoff;			/* low end... */

The first overflow occurs here.  Except in special cases, pageoff can be
anything between 0 and PAGE_SIZE - 1, and size can be anything between 0
and SIZE_MAX.

> -	size = (vm_size_t) round_page(size);	/* hi end */
> +	/* Check for rounding up to zero. */
> +	if (round_page(size) < size)
> +		return (EINVAL);
> +	size = round_page(size);		/* hi end */
>
> 	/* Ensure alignment is at least a page and fits in a pointer. */
> 	align = flags & MAP_ALIGNMENT_MASK;

This bug was implemented in r239247 and affects all versions of FreeBSD
newer than FreeBSD-7.  Before then, FreeBSD used the bogus 4.4BSD check
that (ssize_t)uap->len >= 0 (else return EINVAL).  This behaviour was
even documented.  POSIX doesn't allow this -- it requires ENOMEM for
invalid ranges, though it should require EOVERFLOW for ranges that are
so invalid that they overflow something.

Bruce

More information about the svn-src-head mailing list