svn commit: r348843 - head/sys/vm
Bruce Evans
brde at optusnet.com.au
Mon Jun 10 06:54:21 UTC 2019
On Mon, 10 Jun 2019, Doug Moore wrote:
> Log:
> There are times when a len==0 parameter to mmap is okay. But on a
> 32-bit machine, a len parameter just a few bytes short of 4G, rounded
> up to a page boundary and hitting zero then, is not okay. Return
> failure in that case.
Some overflows still occur.
The problem is not limited to 32-bit machines. The first overflow is for
len parameter just a few bytes short of SIZE_MAX added to a page offset of
a few bytes. This overflows to a small value. Then rounding up to a page
boundary doesn't overflow, but gives 0 or PAGE_SIZE, so the new overflow
check doesn't work and overflow still occurs.
The second overflow is for a len parameter just a few bytes short of
SIZE_MAX with the first overflow not occurring (usually because the offset
is 0). This is now detected.
> Reported by: pho
> Reviewed by: alc, kib (mentor)
> Tested by: pho
> Differential Revision: https://reviews.freebsd.org/D20580
>
> Modified:
> head/sys/vm/vm_mmap.c
>
> Modified: head/sys/vm/vm_mmap.c
> ==============================================================================
> --- head/sys/vm/vm_mmap.c Sun Jun 9 22:55:21 2019 (r348842)
> +++ head/sys/vm/vm_mmap.c Mon Jun 10 03:07:10 2019 (r348843)
> @@ -257,7 +257,10 @@ kern_mmap(struct thread *td, uintptr_t addr0, size_t s
>
> /* Adjust size for rounding (on both ends). */
> size += pageoff; /* low end... */
The first overflow occurs here. Except in special cases, pageoff can be
anything between 0 and PAGE_SIZE - 1, and size can be anything between 0
and SIZE_MAX.
> - size = (vm_size_t) round_page(size); /* hi end */
> + /* Check for rounding up to zero. */
> + if (round_page(size) < size)
> + return (EINVAL);
> + size = round_page(size); /* hi end */
>
> /* Ensure alignment is at least a page and fits in a pointer. */
> align = flags & MAP_ALIGNMENT_MASK;
This bug was implemented in r239247 and affects all versions of FreeBSD
newer than FreeBSD-7. Before then, FreeBSD used the bogus 4.4BSD check
that (ssize_t)uap->len >= 0 (else return EINVAL). This behaviour was
even documented. POSIX doesn't allow this -- it requires ENOMEM for
invalid ranges, though it should require EOVERFLOW for ranges that are
so invalid that they overflow something.
Bruce
More information about the svn-src-head
mailing list