From owner-freebsd-bugs@FreeBSD.ORG  Wed Jan 30 01:30:03 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5ED0316A41B
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 30 Jan 2008 01:30:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 48E7413C44B
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 30 Jan 2008 01:30:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0U1U37i006718
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 30 Jan 2008 01:30:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0U1U3ST006708;
	Wed, 30 Jan 2008 01:30:03 GMT (envelope-from gnats)
Date: Wed, 30 Jan 2008 01:30:03 GMT
Message-Id: <200801300130.m0U1U3ST006708@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: KOIE Hidetaka <koie@suri.co.jp>
Cc: 
Subject: Re: kern/68765: [mmap] a little data can be stored beyond EOF.
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: KOIE Hidetaka <koie@suri.co.jp>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jan 2008 01:30:03 -0000

The following reply was made to PR kern/68765; it has been noted by GNATS.

From: KOIE Hidetaka <koie@suri.co.jp>
To: bug-followup@FreeBSD.org
Cc: kmacy@FreeBSD.org
Subject: Re: kern/68765: [mmap] a little data can be stored beyond EOF.
Date: Wed, 30 Jan 2008 10:28:43 +0900 (JST)

   Message-Id: <200711180820.lAI8KAB0057218@freefall.freebsd.org>
   Date:       Sun, 18 Nov 2007 08:20:10 GMT
   From:       kmacy@FreeBSD.org
   Subject:    Re: kern/68765: [mmap] a little data can be stored beyon..
 
   | Synopsis: [mmap] a little data can be stored beyond EOF.
   | 
   | State-Changed-From-To: open->feedback
   | State-Changed-By: kmacy
   | State-Changed-When: Sun Nov 18 08:19:22 UTC 2007
   | State-Changed-Why: 
   | 
   | Does this still occur? If so please mail your test case inline.
   | 
   | http://www.freebsd.org/cgi/query-pr.cgi?pr=68765
   | 
 
 Yes.
 
 koie@guriandgura% uname -a
 FreeBSD guriandgura 8.0-CURRENT FreeBSD 8.0-CURRENT #2: Fri Nov 16 14:33:17 JST 2007     koie@guriandgura:/usr/obj/usr/src/sys/GURIANDGURA  amd64
 koie@guriandgura% cd /tmp
 koie@guriandgura% df /tmp
 Filesystem 1024-blocks Used      Avail Capacity  Mounted on
 tank/tmp    1305033600  128 1305033472     0%    /tmp    <==== /tmp is ZFS now.
 koie@guriandgura% cat -n hole.c
      1	#include <assert.h>
      2	#include <stdio.h>
      3	#include <stdlib.h>
      4	#include <string.h>
      5	#include <fcntl.h>
      6	#include <sys/types.h>
      7	#include <sys/mman.h>
      8	#include <unistd.h>
      9	
     10	int PAGESIZE;
     11	
     12	#define FILE "empty.dat"
     13	#define SECRET_OFF 1000
     14	int ordinary_size;
     15	
     16	int
     17	w()
     18	{
     19	    int rc = -1;
     20	    int fd;
     21	
     22	    // write a ordinary data nomally
     23	    if ((fd = open(FILE, O_RDWR|O_CREAT|O_TRUNC, 0600)) < 0) {
     24		perror("open");
     25		goto out;
     26	    }
     27	    char buf[] = "TEST";
     28	    if (write(fd, buf, sizeof buf) != sizeof buf) {
     29		perror("write");
     30		goto out;
     31	    }
     32	    ordinary_size = lseek(fd, 0, SEEK_CUR);
     33	
     34	    // put a hidden data beyond EOF
     35	    char *addr = mmap(0, PAGESIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
     36	    if (addr == MAP_FAILED) {
     37		perror("mmap");
     38		goto out;
     39	    }
     40	    assert (ordinary_size < SECRET_OFF);
     41	    strcpy(addr+SECRET_OFF, "SECRET");
     42	
     43	    // finalize
     44	    if (close(fd) < 0) {
     45		perror("close");
     46		goto out;
     47	    }
     48	    if (munmap(addr, PAGESIZE) < 0) {
     49		perror("munmap");
     50		goto out;
     51	    }
     52	    rc = 0;
     53	 out:
     54	    return rc;
     55	}
     56	
     57	int
     58	r()
     59	{
     60	    int rc = -1;
     61	    int fd;
     62	    int n;
     63	    char buf[PAGESIZE];
     64	    char *addr;
     65	
     66	    // using read normally, get a ordinary data.
     67	    if ((fd = open(FILE, O_RDONLY)) < 0) {
     68		perror("open");
     69		goto out;
     70	    }
     71	    if ((n = read(fd, buf, sizeof buf)) < 0) {
     72		perror("read");
     73		goto out;
     74	    }
     75	    printf("read n=%d buf=<%s>\n", n, buf);
     76	
     77	    // using mmap, extract a hidden data.
     78	    addr = mmap(0, PAGESIZE, PROT_READ, MAP_PRIVATE, fd, 0);
     79	    if (addr == MAP_FAILED) {
     80		perror("mmap");
     81		goto out;
     82	    }
     83	    printf("SECRET_OFF=<%s>\n", addr+SECRET_OFF);
     84	
     85	    // finalize
     86	    if (close(fd) < 0) {
     87		perror("close");
     88		goto out;
     89	    }
     90	    if (munmap(addr, PAGESIZE) < 0) {
     91		perror("munmap");
     92		goto out;
     93	    }
     94	    rc = 0;
     95	 out:
     96	    return rc;
     97	}
     98	
     99	int
    100	main()
    101	{
    102	    PAGESIZE = sysconf(_SC_PAGESIZE);
    103	    if (w() < 0)
    104		goto out;
    105	    if (r() < 0)
    106		goto out;
    107	#if 1
    108	    /* erase */
    109	    truncate(FILE, ordinary_size+1);
    110	    truncate(FILE, ordinary_size);
    111	#endif
    112	    if (r() < 0)
    113		goto out;
    114	 out:
    115	    exit(0);
    116	}
 koie@guriandgura% cc -o hole hole.c
 koie@guriandgura% ./hole
 read n=5 buf=<TEST>
 SECRET_OFF=<SECRET>                 <=== "SECRET" is put beyond EOF.
 read n=5 buf=<TEST>
 SECRET_OFF=<>                       <=== "SECRET" is zero-filled by truncate().
 koie@guriandgura% cd /tmp.ufs
 koie@guriandgura% df /tmp.ufs       <=== test on UFS2.
 Filesystem  1024-blocks   Used  Avail Capacity  Mounted on
 /dev/ad4s2e      507630 320244 146776    69%    /tmp.ufs
 koie@guriandgura% /tmp/hole
 read n=5 buf=<TEST>
 SECRET_OFF=<SECRET>
 read n=5 buf=<TEST>
 SECRET_OFF=<>
 koie@guriandgura% 
 
 --
 KOIE Hidetaka / koie@suri.co.jp / SURIGIKEN Co.,LTD.