From nobody Tue Feb 10 07:41:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1597301496; cv=none; d=zohomail.com; s=zohoarc; b=jdH+WCDkhOQFZwghE4qhqc9l1XZhqyGRrpAuPssIrBQ/+enYwHBVPUIPGNf0L0C/Fy7U7UP1clPcb3irqlWpXPBTOxD7oETerSdRTGR4PYttE5v7Whqv2ZJFXdApr6xIu3p5IeduHKSN05Ea3RWeuPQ0vnctC8pyqN/vDEY+oV8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1597301496; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=JiEkVxcOfuMktQAh35q+WwnwzNzBhoyR5assqUVwYxs=; b=Vq2jaVOoL4ycSDnOGo5YDtiz7LlWyPlJghJmhSbCa5tDmHkaofBCgPDD/SsnnT/hjF1ZsmiLkFtjVCHdyh6kU+eYvpbLC5CZtan4Eqqk8aGKlepurVIM35sKM3fxy7pGpoSJ54Ng0JYhRgNV4RKhMrGKU+vUY0Y1F3CNj9s10XU= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1597301496591957.8752523926871; Wed, 12 Aug 2020 23:51:36 -0700 (PDT) Received: from localhost ([::1]:49060 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k675K-0008Jh-2W for importer@patchew.org; Thu, 13 Aug 2020 02:51:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60288) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k673O-0006Pr-KX for qemu-devel@nongnu.org; Thu, 13 Aug 2020 02:49:34 -0400 Received: from mout.kundenserver.de ([217.72.192.75]:44567) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k673J-0004bn-Ca for qemu-devel@nongnu.org; Thu, 13 Aug 2020 02:49:34 -0400 Received: from localhost.localdomain ([82.252.135.186]) by mrelayeu.kundenserver.de (mreue107 [212.227.15.183]) with ESMTPSA (Nemesis) id 1M9nAB-1k0uW31P77-005sHP; Thu, 13 Aug 2020 08:49:26 +0200 From: Laurent Vivier To: qemu-devel@nongnu.org Subject: [PULL 02/14] linux-user: Validate mmap/mprotect prot value Date: Thu, 13 Aug 2020 08:49:11 +0200 Message-Id: <20200813064923.263565-3-laurent@vivier.eu> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200813064923.263565-1-laurent@vivier.eu> References: <20200813064923.263565-1-laurent@vivier.eu> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:MRhH9J+P0CRWlAUTnys0givSaKEFDyAyISPI6Zx2JQHH/E8TC7A fpxBjntVvoxiS1cDgGL9+QI0A+Gvf/NfcBKch3cr5WlKAvPCF8TaF/VPkmoA4r3OC+4GRlS UDIFF5CpS2dhREiYDEn+r7T0gF8C4pHoW63LnNU2jlWD5KAGZykPBPZOpJdV6WCuFWUh1ap NYu+DX3Lr/fB/d5BGFWrg== X-UI-Out-Filterresults: notjunk:1;V03:K0:MnqWGUJFlaI=:V8FUSsWsAEedoemTbEGtrD Fa4Tc6Kh0HdtdfECUniVuedjNaN7nUHuCWkJC3mj/RsGZAMpIlq4NPJ/buAmNnHitGjRkuX9p 36ArzZKNhYc1FiMfmIUD7OBEjDeYMAFp6bTzDvA4mgrgn6ptkjqZbo3xj3Ud+KiLJEGVF8+3X bzli3oHOlAjMeBUPVGLjRw1kfKp07QGiuleAgj9IobYDyL/J6E5sfqwcQyJycuod5wPj6JKKm IfMTOJ7PS3uSZjDxVlvt/BygBeH30FU54tXfxPD+H8fh4Q1eNZA3iBIg1aNfD7f62Eri0yQMg 6XO+ZDxv1PmJoatR50Wg0ZRgIszQwNLsKczAJzm1hQwqsLsEEO5+ZIZ1JMFw8nH/9bGSVS5w+ P7gYQeKtA2eIWHepsZZ8eU8/JoVX+3mqM5A2ny/nxFiZGsze347IofQI/YlIyxNkasZ0a97Ic XKeOtEN4C9L9uwA3PGsu/xrym44T2fSzw1zyxuM0SfBHgDieIS/LYAy/MUGidyfUe8p9ww4x6 t4YiK76p3Nl5xEMW/l3xJ7O2VkH6HVCCNzYznCvX+PQxj3ZGSmVSUD/QKvHX+iqNOfB6JlSpy AqKg5UA0qlwOpo6+O4jKUY8WX49OrIIEJA3HoUKJhYq/XxwSmA6pdXy8/DJqK2dnxlGjs+3sy h6Opq2R8LldBXzHepzN4sS65j97FPLDckCrHw6l+p0/gCcFCwlGhKoAMCWmBLGG9HE9Nkl4vP 8wNOVac5lfvKuZR2xfAiagXxCjfHDV/bOKHjPSl6hgpm30bRHo8p3J7lb/Xc6N65Wj6EwLigx SVTu9fGH/f7xCBf4kIz11YKtf3oH6nPKj6xAdgFtt45sRccIgIeoNDEL0HQgoXr/ZmaARZX Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: none client-ip=217.72.192.75; envelope-from=laurent@vivier.eu; helo=mout.kundenserver.de X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/13 02:49:26 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Richard Henderson , Laurent Vivier Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Richard Henderson The kernel will return -EINVAL for bits set in the prot argument that are unknown or invalid. Previously we were simply cropping out the bits that we care about. Introduce validate_prot_to_pageflags to perform this check in a single place between the two syscalls. Differentiate between the target and host versions of prot. Compute the qemu internal page_flags value at the same time. Signed-off-by: Richard Henderson Reviewed-by: Peter Maydell Message-Id: <20200519185645.3915-2-richard.henderson@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/mmap.c | 106 +++++++++++++++++++++++++++++++--------------- 1 file changed, 73 insertions(+), 33 deletions(-) diff --git a/linux-user/mmap.c b/linux-user/mmap.c index 0019447892e0..46c7eeba9bd2 100644 --- a/linux-user/mmap.c +++ b/linux-user/mmap.c @@ -59,64 +59,96 @@ void mmap_fork_end(int child) pthread_mutex_unlock(&mmap_mutex); } =20 +/* + * Validate target prot bitmask. + * Return the prot bitmask for the host in *HOST_PROT. + * Return 0 if the target prot bitmask is invalid, otherwise + * the internal qemu page_flags (which will include PAGE_VALID). + */ +static int validate_prot_to_pageflags(int *host_prot, int prot) +{ + int valid =3D PROT_READ | PROT_WRITE | PROT_EXEC | TARGET_PROT_SEM; + int page_flags =3D (prot & PAGE_BITS) | PAGE_VALID; + + /* + * For the host, we need not pass anything except read/write/exec. + * While PROT_SEM is allowed by all hosts, it is also ignored, so + * don't bother transforming guest bit to host bit. Any other + * target-specific prot bits will not be understood by the host + * and will need to be encoded into page_flags for qemu emulation. + */ + *host_prot =3D prot & (PROT_READ | PROT_WRITE | PROT_EXEC); + + return prot & ~valid ? 0 : page_flags; +} + /* NOTE: all the constants are the HOST ones, but addresses are target. */ -int target_mprotect(abi_ulong start, abi_ulong len, int prot) +int target_mprotect(abi_ulong start, abi_ulong len, int target_prot) { abi_ulong end, host_start, host_end, addr; - int prot1, ret; + int prot1, ret, page_flags, host_prot; =20 - trace_target_mprotect(start, len, prot); + trace_target_mprotect(start, len, target_prot); =20 - if ((start & ~TARGET_PAGE_MASK) !=3D 0) + if ((start & ~TARGET_PAGE_MASK) !=3D 0) { return -TARGET_EINVAL; + } + page_flags =3D validate_prot_to_pageflags(&host_prot, target_prot); + if (!page_flags) { + return -TARGET_EINVAL; + } len =3D TARGET_PAGE_ALIGN(len); end =3D start + len; if (!guest_range_valid(start, len)) { return -TARGET_ENOMEM; } - prot &=3D PROT_READ | PROT_WRITE | PROT_EXEC; - if (len =3D=3D 0) + if (len =3D=3D 0) { return 0; + } =20 mmap_lock(); host_start =3D start & qemu_host_page_mask; host_end =3D HOST_PAGE_ALIGN(end); if (start > host_start) { /* handle host page containing start */ - prot1 =3D prot; - for(addr =3D host_start; addr < start; addr +=3D TARGET_PAGE_SIZE)= { + prot1 =3D host_prot; + for (addr =3D host_start; addr < start; addr +=3D TARGET_PAGE_SIZE= ) { prot1 |=3D page_get_flags(addr); } if (host_end =3D=3D host_start + qemu_host_page_size) { - for(addr =3D end; addr < host_end; addr +=3D TARGET_PAGE_SIZE)= { + for (addr =3D end; addr < host_end; addr +=3D TARGET_PAGE_SIZE= ) { prot1 |=3D page_get_flags(addr); } end =3D host_end; } - ret =3D mprotect(g2h(host_start), qemu_host_page_size, prot1 & PAG= E_BITS); - if (ret !=3D 0) + ret =3D mprotect(g2h(host_start), qemu_host_page_size, + prot1 & PAGE_BITS); + if (ret !=3D 0) { goto error; + } host_start +=3D qemu_host_page_size; } if (end < host_end) { - prot1 =3D prot; - for(addr =3D end; addr < host_end; addr +=3D TARGET_PAGE_SIZE) { + prot1 =3D host_prot; + for (addr =3D end; addr < host_end; addr +=3D TARGET_PAGE_SIZE) { prot1 |=3D page_get_flags(addr); } - ret =3D mprotect(g2h(host_end - qemu_host_page_size), qemu_host_pa= ge_size, - prot1 & PAGE_BITS); - if (ret !=3D 0) + ret =3D mprotect(g2h(host_end - qemu_host_page_size), + qemu_host_page_size, prot1 & PAGE_BITS); + if (ret !=3D 0) { goto error; + } host_end -=3D qemu_host_page_size; } =20 /* handle the pages in the middle */ if (host_start < host_end) { - ret =3D mprotect(g2h(host_start), host_end - host_start, prot); - if (ret !=3D 0) + ret =3D mprotect(g2h(host_start), host_end - host_start, host_prot= ); + if (ret !=3D 0) { goto error; + } } - page_set_flags(start, start + len, prot | PAGE_VALID); + page_set_flags(start, start + len, page_flags); mmap_unlock(); return 0; error: @@ -360,19 +392,26 @@ abi_ulong mmap_find_vma(abi_ulong start, abi_ulong si= ze, abi_ulong align) } =20 /* NOTE: all the constants are the HOST ones */ -abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, +abi_long target_mmap(abi_ulong start, abi_ulong len, int target_prot, int flags, int fd, abi_ulong offset) { abi_ulong ret, end, real_start, real_end, retaddr, host_offset, host_l= en; + int page_flags, host_prot; =20 mmap_lock(); - trace_target_mmap(start, len, prot, flags, fd, offset); + trace_target_mmap(start, len, target_prot, flags, fd, offset); =20 if (!len) { errno =3D EINVAL; goto fail; } =20 + page_flags =3D validate_prot_to_pageflags(&host_prot, target_prot); + if (!page_flags) { + errno =3D EINVAL; + goto fail; + } + /* Also check for overflows... */ len =3D TARGET_PAGE_ALIGN(len); if (!len) { @@ -438,14 +477,15 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, = int prot, /* Note: we prefer to control the mapping address. It is especially important if qemu_host_page_size > qemu_real_host_page_size */ - p =3D mmap(g2h(start), host_len, prot, + p =3D mmap(g2h(start), host_len, host_prot, flags | MAP_FIXED | MAP_ANONYMOUS, -1, 0); - if (p =3D=3D MAP_FAILED) + if (p =3D=3D MAP_FAILED) { goto fail; + } /* update start so that it points to the file position at 'offset'= */ host_start =3D (unsigned long)p; if (!(flags & MAP_ANONYMOUS)) { - p =3D mmap(g2h(start), len, prot, + p =3D mmap(g2h(start), len, host_prot, flags | MAP_FIXED, fd, host_offset); if (p =3D=3D MAP_FAILED) { munmap(g2h(start), host_len); @@ -479,19 +519,19 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, = int prot, /* msync() won't work here, so we return an error if write is possible while it is a shared mapping */ if ((flags & MAP_TYPE) =3D=3D MAP_SHARED && - (prot & PROT_WRITE)) { + (host_prot & PROT_WRITE)) { errno =3D EINVAL; goto fail; } - retaddr =3D target_mmap(start, len, prot | PROT_WRITE, + retaddr =3D target_mmap(start, len, target_prot | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (retaddr =3D=3D -1) goto fail; if (pread(fd, g2h(start), len, offset) =3D=3D -1) goto fail; - if (!(prot & PROT_WRITE)) { - ret =3D target_mprotect(start, len, prot); + if (!(host_prot & PROT_WRITE)) { + ret =3D target_mprotect(start, len, target_prot); assert(ret =3D=3D 0); } goto the_end; @@ -502,13 +542,13 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, = int prot, if (real_end =3D=3D real_start + qemu_host_page_size) { /* one single host page */ ret =3D mmap_frag(real_start, start, end, - prot, flags, fd, offset); + host_prot, flags, fd, offset); if (ret =3D=3D -1) goto fail; goto the_end1; } ret =3D mmap_frag(real_start, start, real_start + qemu_host_pa= ge_size, - prot, flags, fd, offset); + host_prot, flags, fd, offset); if (ret =3D=3D -1) goto fail; real_start +=3D qemu_host_page_size; @@ -517,7 +557,7 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, in= t prot, if (end < real_end) { ret =3D mmap_frag(real_end - qemu_host_page_size, real_end - qemu_host_page_size, end, - prot, flags, fd, + host_prot, flags, fd, offset + real_end - qemu_host_page_size - star= t); if (ret =3D=3D -1) goto fail; @@ -533,13 +573,13 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, = int prot, else offset1 =3D offset + real_start - start; p =3D mmap(g2h(real_start), real_end - real_start, - prot, flags, fd, offset1); + host_prot, flags, fd, offset1); if (p =3D=3D MAP_FAILED) goto fail; } } the_end1: - page_set_flags(start, start + len, prot | PAGE_VALID); + page_set_flags(start, start + len, page_flags); the_end: trace_target_mmap_complete(start); if (qemu_loglevel_mask(CPU_LOG_PAGE)) { --=20 2.26.2