From owner-svn-src-all@freebsd.org Mon Jun 10 06:54:21 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0289315B714D; Mon, 10 Jun 2019 06:54:21 +0000 (UTC) (envelope-from brde@optusnet.com.au) Received: from mail104.syd.optusnet.com.au (mail104.syd.optusnet.com.au [211.29.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id 68C46956E5; Mon, 10 Jun 2019 06:54:20 +0000 (UTC) (envelope-from brde@optusnet.com.au) Received: from [192.168.0.102] (c110-21-101-228.carlnfd1.nsw.optusnet.com.au [110.21.101.228]) by mail104.syd.optusnet.com.au (Postfix) with ESMTPS id 73D4743E1C7; Mon, 10 Jun 2019 16:54:11 +1000 (AEST) Date: Mon, 10 Jun 2019 16:54:09 +1000 (EST) From: Bruce Evans X-X-Sender: bde@besplex.bde.org To: Doug Moore cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r348843 - head/sys/vm In-Reply-To: <201906100307.x5A37BFt099669@repo.freebsd.org> Message-ID: <20190610160930.S2504@besplex.bde.org> References: <201906100307.x5A37BFt099669@repo.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.2 cv=FNpr/6gs c=1 sm=1 tr=0 cx=a_idp_d a=PalzARQSbocsUSjMRkwAPg==:117 a=PalzARQSbocsUSjMRkwAPg==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=kj9zAlcOel0A:10 a=6I5d2MoRAAAA:8 a=E8nMTcrMv8adVMIzyT4A:9 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22 X-Rspamd-Queue-Id: 68C46956E5 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.96 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.96)[-0.962,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jun 2019 06:54:21 -0000 On Mon, 10 Jun 2019, Doug Moore wrote: > Log: > There are times when a len==0 parameter to mmap is okay. But on a > 32-bit machine, a len parameter just a few bytes short of 4G, rounded > up to a page boundary and hitting zero then, is not okay. Return > failure in that case. Some overflows still occur. The problem is not limited to 32-bit machines. The first overflow is for len parameter just a few bytes short of SIZE_MAX added to a page offset of a few bytes. This overflows to a small value. Then rounding up to a page boundary doesn't overflow, but gives 0 or PAGE_SIZE, so the new overflow check doesn't work and overflow still occurs. The second overflow is for a len parameter just a few bytes short of SIZE_MAX with the first overflow not occurring (usually because the offset is 0). This is now detected. > Reported by: pho > Reviewed by: alc, kib (mentor) > Tested by: pho > Differential Revision: https://reviews.freebsd.org/D20580 > > Modified: > head/sys/vm/vm_mmap.c > > Modified: head/sys/vm/vm_mmap.c > ============================================================================== > --- head/sys/vm/vm_mmap.c Sun Jun 9 22:55:21 2019 (r348842) > +++ head/sys/vm/vm_mmap.c Mon Jun 10 03:07:10 2019 (r348843) > @@ -257,7 +257,10 @@ kern_mmap(struct thread *td, uintptr_t addr0, size_t s > > /* Adjust size for rounding (on both ends). */ > size += pageoff; /* low end... */ The first overflow occurs here. Except in special cases, pageoff can be anything between 0 and PAGE_SIZE - 1, and size can be anything between 0 and SIZE_MAX. > - size = (vm_size_t) round_page(size); /* hi end */ > + /* Check for rounding up to zero. */ > + if (round_page(size) < size) > + return (EINVAL); > + size = round_page(size); /* hi end */ > > /* Ensure alignment is at least a page and fits in a pointer. */ > align = flags & MAP_ALIGNMENT_MASK; This bug was implemented in r239247 and affects all versions of FreeBSD newer than FreeBSD-7. Before then, FreeBSD used the bogus 4.4BSD check that (ssize_t)uap->len >= 0 (else return EINVAL). This behaviour was even documented. POSIX doesn't allow this -- it requires ENOMEM for invalid ranges, though it should require EOVERFLOW for ranges that are so invalid that they overflow something. Bruce