From owner-svn-src-head@freebsd.org  Mon Jun 10 06:54:21 2019
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0289315B714D;
 Mon, 10 Jun 2019 06:54:21 +0000 (UTC)
 (envelope-from brde@optusnet.com.au)
Received: from mail104.syd.optusnet.com.au (mail104.syd.optusnet.com.au
 [211.29.132.246])
 by mx1.freebsd.org (Postfix) with ESMTP id 68C46956E5;
 Mon, 10 Jun 2019 06:54:20 +0000 (UTC)
 (envelope-from brde@optusnet.com.au)
Received: from [192.168.0.102] (c110-21-101-228.carlnfd1.nsw.optusnet.com.au
 [110.21.101.228])
 by mail104.syd.optusnet.com.au (Postfix) with ESMTPS id 73D4743E1C7;
 Mon, 10 Jun 2019 16:54:11 +1000 (AEST)
Date: Mon, 10 Jun 2019 16:54:09 +1000 (EST)
From: Bruce Evans <brde@optusnet.com.au>
X-X-Sender: bde@besplex.bde.org
To: Doug Moore <dougm@freebsd.org>
cc: src-committers@freebsd.org, svn-src-all@freebsd.org, 
 svn-src-head@freebsd.org
Subject: Re: svn commit: r348843 - head/sys/vm
In-Reply-To: <201906100307.x5A37BFt099669@repo.freebsd.org>
Message-ID: <20190610160930.S2504@besplex.bde.org>
References: <201906100307.x5A37BFt099669@repo.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Optus-CM-Score: 0
X-Optus-CM-Analysis: v=2.2 cv=FNpr/6gs c=1 sm=1 tr=0 cx=a_idp_d
 a=PalzARQSbocsUSjMRkwAPg==:117 a=PalzARQSbocsUSjMRkwAPg==:17
 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=kj9zAlcOel0A:10 a=6I5d2MoRAAAA:8
 a=E8nMTcrMv8adVMIzyT4A:9 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22
X-Rspamd-Queue-Id: 68C46956E5
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-6.96 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[];
 NEURAL_HAM_SHORT(-0.96)[-0.962,0]
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2019 06:54:21 -0000

On Mon, 10 Jun 2019, Doug Moore wrote:

> Log:
>  There are times when a len==0 parameter to mmap is okay. But on a
>  32-bit machine, a len parameter just a few bytes short of 4G, rounded
>  up to a page boundary and hitting zero then, is not okay. Return
>  failure in that case.

Some overflows still occur.

The problem is not limited to 32-bit machines.  The first overflow is for
len parameter just a few bytes short of SIZE_MAX added to a page offset of
a few bytes.  This overflows to a small value.  Then rounding up to a page
boundary doesn't overflow, but gives 0 or PAGE_SIZE, so the new overflow
check doesn't work and overflow still occurs.

The second overflow is for a len parameter just a few bytes short of
SIZE_MAX with the first overflow not occurring (usually because the offset
is 0).  This is now detected.

>  Reported by: pho
>  Reviewed by: alc, kib (mentor)
>  Tested by: pho
>  Differential Revision: https://reviews.freebsd.org/D20580
>
> Modified:
>  head/sys/vm/vm_mmap.c
>
> Modified: head/sys/vm/vm_mmap.c
> ==============================================================================
> --- head/sys/vm/vm_mmap.c	Sun Jun  9 22:55:21 2019	(r348842)
> +++ head/sys/vm/vm_mmap.c	Mon Jun 10 03:07:10 2019	(r348843)
> @@ -257,7 +257,10 @@ kern_mmap(struct thread *td, uintptr_t addr0, size_t s
>
> 	/* Adjust size for rounding (on both ends). */
> 	size += pageoff;			/* low end... */

The first overflow occurs here.  Except in special cases, pageoff can be
anything between 0 and PAGE_SIZE - 1, and size can be anything between 0
and SIZE_MAX.

> -	size = (vm_size_t) round_page(size);	/* hi end */
> +	/* Check for rounding up to zero. */
> +	if (round_page(size) < size)
> +		return (EINVAL);
> +	size = round_page(size);		/* hi end */
>
> 	/* Ensure alignment is at least a page and fits in a pointer. */
> 	align = flags & MAP_ALIGNMENT_MASK;

This bug was implemented in r239247 and affects all versions of FreeBSD
newer than FreeBSD-7.  Before then, FreeBSD used the bogus 4.4BSD check
that (ssize_t)uap->len >= 0 (else return EINVAL).  This behaviour was
even documented.  POSIX doesn't allow this -- it requires ENOMEM for
invalid ranges, though it should require EOVERFLOW for ranges that are
so invalid that they overflow something.

Bruce