1. Patchew
  2. QEMU
  3. [PATCH v1 00/14] various fixes for next PR (testing, vhost, guest_base fixes)
  4. View patch

[PATCH v1 14/14] linux-user: detect overflow of MAP_FIXED mmap

Alex Bennée posted 14 patches 5 years, 8 months ago
[PATCH v1 14/14] linux-user: detect overflow of MAP_FIXED mmap
Posted by Alex Bennée 5 years, 8 months ago 
Relaxing the restrictions on 64 bit guests leads to the user being
able to attempt to map right at the edge of addressable memory. This
in turn lead to address overflow tripping the assert in page_set_flags
when the end address wrapped around.

Detect the wrap earlier and correctly -ENOMEM the guest (in the
reported case LTP mmap15).

Fixes: 7d8cbbabcb
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
---
 linux-user/mmap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index e3780337974..2e05bd499e6 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -467,7 +467,7 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
          * It can fail only on 64-bit host with 32-bit target.
          * On any other target/host host mmap() handles this error correctly.
          */
-        if (!guest_range_valid(start, len)) {
+        if (end < start || !guest_range_valid(start, len)) {
             errno = ENOMEM;
             goto fail;
         }
-- 
2.20.1
Re: [PATCH v1 14/14] linux-user: detect overflow of MAP_FIXED mmap
Posted by Philippe Mathieu-Daudé 5 years, 8 months ago 
On 6/5/20 5:49 PM, Alex Bennée wrote:
> Relaxing the restrictions on 64 bit guests leads to the user being
> able to attempt to map right at the edge of addressable memory. This
> in turn lead to address overflow tripping the assert in page_set_flags
> when the end address wrapped around.
> 
> Detect the wrap earlier and correctly -ENOMEM the guest (in the
> reported case LTP mmap15).
> 
> Fixes: 7d8cbbabcb

Reported-by: Laurent Vivier <laurent@vivier.eu>

> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> ---
>  linux-user/mmap.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/linux-user/mmap.c b/linux-user/mmap.c
> index e3780337974..2e05bd499e6 100644
> --- a/linux-user/mmap.c
> +++ b/linux-user/mmap.c
> @@ -467,7 +467,7 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
>           * It can fail only on 64-bit host with 32-bit target.
>           * On any other target/host host mmap() handles this error correctly.
>           */
> -        if (!guest_range_valid(start, len)) {
> +        if (end < start || !guest_range_valid(start, len)) {
>              errno = ENOMEM;
>              goto fail;
>          }
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.