From patchwork Tue Jun 9 10:38:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Alex_Benn=C3=A9e?= X-Patchwork-Id: 187648 Delivered-To: patch@linaro.org Received: by 2002:a92:cf06:0:0:0:0:0 with SMTP id c6csp403738ilo; Tue, 9 Jun 2020 03:44:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxgJUUFXmVlJYiHin/lrwMSXed4mO8/LWOVngMCpbdoOPWjg6Qk0csMnz0h6MONb6UaFx35 X-Received: by 2002:a25:69d1:: with SMTP id e200mr5055996ybc.127.1591699488916; Tue, 09 Jun 2020 03:44:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591699488; cv=none; d=google.com; s=arc-20160816; b=mjCu3XLNNbtFB4MGbhCMlupSyhgIuWdywZRhbg3HcyXJj5/ectTrdiB9faJrJ3ob7t 2rTOzkdbQDZcqRnLYcC8m1aaVjxl8RD2W9apDKPPF2/ni8n03YhB60BLo9uupocrIWcY G8Yq0X18JE6AbGtsZeMObY4lZX0mfxIT3D3gx3kPiI9jpdUA6X8UBSCui2xPsYvUjgNa zrtltpARpih+fefI0oZS3W7bhOhCc+DospnpgYDGGEkvTnLkTsnv9VBiGAxzWlhvpFCH VxJsy1woiStiFrldQdzwgRm3V/3cB4EWdVLOk9eYhq4IQYX9g07OiT/9BHngSeyfTHzv WDEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=l8C2CxQk5isX6LgVBcCj8l8vwP2jRtWs9gzBWt30ZL0=; b=gQXsxsZQJs36haA20uaZNALDz0Q7rsrDWeIaufELK1rFtrr9oZ7sJr9pPqu8cRWQic G1gW1tP/s6MROESLsnq/d2c3ka6z9BLcv2oC6b04muHVWoTOMXTDpWxPej2X19F40+o0 oZHVNN9DNs1oKw8fuQOxQEeUFuFZnkf3W7CoseszOtmQj0GajX7/c4C3eF+UBaHh73HV +hZ3Sw4730CRj1F4c8FdQ1X28/noTpTLIaAUONmdE4iqUYPLOlqdnECH8L3iv+kq0ich woMgCvul2co9Ss8MnzkvJrfXT4MG46ZK07mshpfWnBps779U3o6nlUYKMLywEDGPnQSO JYgQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@linaro.org header.s=google header.b=L2XPNyqf; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id a18si2276158ybs.368.2020.06.09.03.44.48 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 09 Jun 2020 03:44:48 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=fail header.i=@linaro.org header.s=google header.b=L2XPNyqf; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:50988 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jibkO-0007Lp-AC for patch@linaro.org; Tue, 09 Jun 2020 06:44:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59570) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jibjY-0007HP-6L for qemu-devel@nongnu.org; Tue, 09 Jun 2020 06:43:56 -0400 Received: from mail-wm1-x32a.google.com ([2a00:1450:4864:20::32a]:51474) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jibjX-0005DZ-3H for qemu-devel@nongnu.org; Tue, 09 Jun 2020 06:43:55 -0400 Received: by mail-wm1-x32a.google.com with SMTP id u13so2351129wml.1 for ; Tue, 09 Jun 2020 03:43:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=l8C2CxQk5isX6LgVBcCj8l8vwP2jRtWs9gzBWt30ZL0=; b=L2XPNyqf2oO9DHglFSfCvQCs9Mra96UjWRRjHTcrsu4iADUPDR7GwQzy4HhDR0LFV4 +FfHvM3JT6qQPtvddPt/L2fYRHfcC91c9Uq3VwLBO3qi3Te2vYxLLiFUTkwZw4MU7t5H FwzclMaaSTd/kxYYXzp90J3NljU8ITsJxRmUGz41HYK1+/pfIB1ydU4mLjYgaE78qO7b uohj57SaWxEeAouYDXVRCdXiQ5OCa+8sCzaYfqPFlFhngtvKq5niMi6mjWU+myhzvWNV uZ56sDEOVoa4knpjMJ69vgtlR7tc1IBzQ6gMajACLPpxgNKbLj/7zUvmVSUmIuaHoKR1 evoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=l8C2CxQk5isX6LgVBcCj8l8vwP2jRtWs9gzBWt30ZL0=; b=Nosy6OiiHQSDou1Vs7RYUdz9hDBQ0ZW71NV0AEjOBmpBkkLPC5ZJhq3zxr0FGMH0Dv Va6VGPs835YpUgGWvzICPOjVgXg4kClAttOJg30zPsG7CQ5wkqQui6v6WSjEstpJqtJp hqnNhe+a4wgYQFOU46xfTRQ/vymIfkzX0taMBTqGDr6v58To6TmTDAjX2enrc0PycrUJ eHSwN9OyBqGn7HaN3MMCKetMWwR+9G5dDnphof4widx+mcuTT38YQFN3Iy6h6lcT4JWC a2ippbKodH4nLA14XWfD6MTCuva6DGzk6OWqk6LNRDW/blTsJ9CBbAdiCWiiQkbIzXIu J33g== X-Gm-Message-State: AOAM531FhQO2Tx6wMDeJYPhOFJ89sjiiGhwWQ/8mOxbXBOvrFxjUq2OI ycGN4r6lU0JPhkt/odxdzPEWXA== X-Received: by 2002:a1c:8048:: with SMTP id b69mr3221723wmd.169.1591699433292; Tue, 09 Jun 2020 03:43:53 -0700 (PDT) Received: from zen.linaroharston ([51.148.130.216]) by smtp.gmail.com with ESMTPSA id u74sm2510677wmu.31.2020.06.09.03.43.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2020 03:43:51 -0700 (PDT) Received: from zen.lan (localhost [127.0.0.1]) by zen.linaroharston (Postfix) with ESMTP id 1485A1FF7E; Tue, 9 Jun 2020 11:38:12 +0100 (BST) From: =?utf-8?q?Alex_Benn=C3=A9e?= To: peter.maydell@linaro.org Subject: [PULL 13/17] linux-user: detect overflow of MAP_FIXED mmap Date: Tue, 9 Jun 2020 11:38:05 +0100 Message-Id: <20200609103809.23443-14-alex.bennee@linaro.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200609103809.23443-1-alex.bennee@linaro.org> References: <20200609103809.23443-1-alex.bennee@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::32a; envelope-from=alex.bennee@linaro.org; helo=mail-wm1-x32a.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Riku Voipio , =?utf-8?q?Alex_Benn=C3=A9e?= , qemu-devel@nongnu.org, Laurent Vivier Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" Relaxing the restrictions on 64 bit guests leads to the user being able to attempt to map right at the edge of addressable memory. This in turn lead to address overflow tripping the assert in page_set_flags when the end address wrapped around. Detect the wrap earlier and correctly -ENOMEM the guest (in the reported case LTP mmap15). Fixes: 7d8cbbabcb Signed-off-by: Alex Bennée Reported-by: Laurent Vivier Message-Id: <20200605154929.26910-15-alex.bennee@linaro.org> -- 2.20.1 diff --git a/linux-user/mmap.c b/linux-user/mmap.c index caab62909eb..0019447892e 100644 --- a/linux-user/mmap.c +++ b/linux-user/mmap.c @@ -467,7 +467,7 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, * It can fail only on 64-bit host with 32-bit target. * On any other target/host host mmap() handles this error correctly. */ - if (!guest_range_valid(start, len)) { + if (end < start || !guest_range_valid(start, len)) { errno = ENOMEM; goto fail; }