From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A0176C433E3 for ; Thu, 13 Aug 2020 06:51:29 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6658620771 for ; Thu, 13 Aug 2020 06:51:29 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6658620771 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=vivier.eu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:49060 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k675E-0008Jh-Gn for qemu-devel@archiver.kernel.org; Thu, 13 Aug 2020 02:51:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60288) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k673O-0006Pr-KX for qemu-devel@nongnu.org; Thu, 13 Aug 2020 02:49:34 -0400 Received: from mout.kundenserver.de ([217.72.192.75]:44567) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k673J-0004bn-Ca for qemu-devel@nongnu.org; Thu, 13 Aug 2020 02:49:34 -0400 Received: from localhost.localdomain ([82.252.135.186]) by mrelayeu.kundenserver.de (mreue107 [212.227.15.183]) with ESMTPSA (Nemesis) id 1M9nAB-1k0uW31P77-005sHP; Thu, 13 Aug 2020 08:49:26 +0200 From: Laurent Vivier To: qemu-devel@nongnu.org Subject: [PULL 02/14] linux-user: Validate mmap/mprotect prot value Date: Thu, 13 Aug 2020 08:49:11 +0200 Message-Id: <20200813064923.263565-3-laurent@vivier.eu> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200813064923.263565-1-laurent@vivier.eu> References: <20200813064923.263565-1-laurent@vivier.eu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K1:MRhH9J+P0CRWlAUTnys0givSaKEFDyAyISPI6Zx2JQHH/E8TC7A fpxBjntVvoxiS1cDgGL9+QI0A+Gvf/NfcBKch3cr5WlKAvPCF8TaF/VPkmoA4r3OC+4GRlS UDIFF5CpS2dhREiYDEn+r7T0gF8C4pHoW63LnNU2jlWD5KAGZykPBPZOpJdV6WCuFWUh1ap NYu+DX3Lr/fB/d5BGFWrg== X-UI-Out-Filterresults: notjunk:1;V03:K0:MnqWGUJFlaI=:V8FUSsWsAEedoemTbEGtrD Fa4Tc6Kh0HdtdfECUniVuedjNaN7nUHuCWkJC3mj/RsGZAMpIlq4NPJ/buAmNnHitGjRkuX9p 36ArzZKNhYc1FiMfmIUD7OBEjDeYMAFp6bTzDvA4mgrgn6ptkjqZbo3xj3Ud+KiLJEGVF8+3X bzli3oHOlAjMeBUPVGLjRw1kfKp07QGiuleAgj9IobYDyL/J6E5sfqwcQyJycuod5wPj6JKKm IfMTOJ7PS3uSZjDxVlvt/BygBeH30FU54tXfxPD+H8fh4Q1eNZA3iBIg1aNfD7f62Eri0yQMg 6XO+ZDxv1PmJoatR50Wg0ZRgIszQwNLsKczAJzm1hQwqsLsEEO5+ZIZ1JMFw8nH/9bGSVS5w+ P7gYQeKtA2eIWHepsZZ8eU8/JoVX+3mqM5A2ny/nxFiZGsze347IofQI/YlIyxNkasZ0a97Ic XKeOtEN4C9L9uwA3PGsu/xrym44T2fSzw1zyxuM0SfBHgDieIS/LYAy/MUGidyfUe8p9ww4x6 t4YiK76p3Nl5xEMW/l3xJ7O2VkH6HVCCNzYznCvX+PQxj3ZGSmVSUD/QKvHX+iqNOfB6JlSpy AqKg5UA0qlwOpo6+O4jKUY8WX49OrIIEJA3HoUKJhYq/XxwSmA6pdXy8/DJqK2dnxlGjs+3sy h6Opq2R8LldBXzHepzN4sS65j97FPLDckCrHw6l+p0/gCcFCwlGhKoAMCWmBLGG9HE9Nkl4vP 8wNOVac5lfvKuZR2xfAiagXxCjfHDV/bOKHjPSl6hgpm30bRHo8p3J7lb/Xc6N65Wj6EwLigx SVTu9fGH/f7xCBf4kIz11YKtf3oH6nPKj6xAdgFtt45sRccIgIeoNDEL0HQgoXr/ZmaARZX Received-SPF: none client-ip=217.72.192.75; envelope-from=laurent@vivier.eu; helo=mout.kundenserver.de X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/13 02:49:26 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Richard Henderson , Laurent Vivier Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Richard Henderson The kernel will return -EINVAL for bits set in the prot argument that are unknown or invalid. Previously we were simply cropping out the bits that we care about. Introduce validate_prot_to_pageflags to perform this check in a single place between the two syscalls. Differentiate between the target and host versions of prot. Compute the qemu internal page_flags value at the same time. Signed-off-by: Richard Henderson Reviewed-by: Peter Maydell Message-Id: <20200519185645.3915-2-richard.henderson@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/mmap.c | 106 +++++++++++++++++++++++++++++++--------------- 1 file changed, 73 insertions(+), 33 deletions(-) diff --git a/linux-user/mmap.c b/linux-user/mmap.c index 0019447892e0..46c7eeba9bd2 100644 --- a/linux-user/mmap.c +++ b/linux-user/mmap.c @@ -59,64 +59,96 @@ void mmap_fork_end(int child) pthread_mutex_unlock(&mmap_mutex); } +/* + * Validate target prot bitmask. + * Return the prot bitmask for the host in *HOST_PROT. + * Return 0 if the target prot bitmask is invalid, otherwise + * the internal qemu page_flags (which will include PAGE_VALID). + */ +static int validate_prot_to_pageflags(int *host_prot, int prot) +{ + int valid = PROT_READ | PROT_WRITE | PROT_EXEC | TARGET_PROT_SEM; + int page_flags = (prot & PAGE_BITS) | PAGE_VALID; + + /* + * For the host, we need not pass anything except read/write/exec. + * While PROT_SEM is allowed by all hosts, it is also ignored, so + * don't bother transforming guest bit to host bit. Any other + * target-specific prot bits will not be understood by the host + * and will need to be encoded into page_flags for qemu emulation. + */ + *host_prot = prot & (PROT_READ | PROT_WRITE | PROT_EXEC); + + return prot & ~valid ? 0 : page_flags; +} + /* NOTE: all the constants are the HOST ones, but addresses are target. */ -int target_mprotect(abi_ulong start, abi_ulong len, int prot) +int target_mprotect(abi_ulong start, abi_ulong len, int target_prot) { abi_ulong end, host_start, host_end, addr; - int prot1, ret; + int prot1, ret, page_flags, host_prot; - trace_target_mprotect(start, len, prot); + trace_target_mprotect(start, len, target_prot); - if ((start & ~TARGET_PAGE_MASK) != 0) + if ((start & ~TARGET_PAGE_MASK) != 0) { return -TARGET_EINVAL; + } + page_flags = validate_prot_to_pageflags(&host_prot, target_prot); + if (!page_flags) { + return -TARGET_EINVAL; + } len = TARGET_PAGE_ALIGN(len); end = start + len; if (!guest_range_valid(start, len)) { return -TARGET_ENOMEM; } - prot &= PROT_READ | PROT_WRITE | PROT_EXEC; - if (len == 0) + if (len == 0) { return 0; + } mmap_lock(); host_start = start & qemu_host_page_mask; host_end = HOST_PAGE_ALIGN(end); if (start > host_start) { /* handle host page containing start */ - prot1 = prot; - for(addr = host_start; addr < start; addr += TARGET_PAGE_SIZE) { + prot1 = host_prot; + for (addr = host_start; addr < start; addr += TARGET_PAGE_SIZE) { prot1 |= page_get_flags(addr); } if (host_end == host_start + qemu_host_page_size) { - for(addr = end; addr < host_end; addr += TARGET_PAGE_SIZE) { + for (addr = end; addr < host_end; addr += TARGET_PAGE_SIZE) { prot1 |= page_get_flags(addr); } end = host_end; } - ret = mprotect(g2h(host_start), qemu_host_page_size, prot1 & PAGE_BITS); - if (ret != 0) + ret = mprotect(g2h(host_start), qemu_host_page_size, + prot1 & PAGE_BITS); + if (ret != 0) { goto error; + } host_start += qemu_host_page_size; } if (end < host_end) { - prot1 = prot; - for(addr = end; addr < host_end; addr += TARGET_PAGE_SIZE) { + prot1 = host_prot; + for (addr = end; addr < host_end; addr += TARGET_PAGE_SIZE) { prot1 |= page_get_flags(addr); } - ret = mprotect(g2h(host_end - qemu_host_page_size), qemu_host_page_size, - prot1 & PAGE_BITS); - if (ret != 0) + ret = mprotect(g2h(host_end - qemu_host_page_size), + qemu_host_page_size, prot1 & PAGE_BITS); + if (ret != 0) { goto error; + } host_end -= qemu_host_page_size; } /* handle the pages in the middle */ if (host_start < host_end) { - ret = mprotect(g2h(host_start), host_end - host_start, prot); - if (ret != 0) + ret = mprotect(g2h(host_start), host_end - host_start, host_prot); + if (ret != 0) { goto error; + } } - page_set_flags(start, start + len, prot | PAGE_VALID); + page_set_flags(start, start + len, page_flags); mmap_unlock(); return 0; error: @@ -360,19 +392,26 @@ abi_ulong mmap_find_vma(abi_ulong start, abi_ulong size, abi_ulong align) } /* NOTE: all the constants are the HOST ones */ -abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, +abi_long target_mmap(abi_ulong start, abi_ulong len, int target_prot, int flags, int fd, abi_ulong offset) { abi_ulong ret, end, real_start, real_end, retaddr, host_offset, host_len; + int page_flags, host_prot; mmap_lock(); - trace_target_mmap(start, len, prot, flags, fd, offset); + trace_target_mmap(start, len, target_prot, flags, fd, offset); if (!len) { errno = EINVAL; goto fail; } + page_flags = validate_prot_to_pageflags(&host_prot, target_prot); + if (!page_flags) { + errno = EINVAL; + goto fail; + } + /* Also check for overflows... */ len = TARGET_PAGE_ALIGN(len); if (!len) { @@ -438,14 +477,15 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, /* Note: we prefer to control the mapping address. It is especially important if qemu_host_page_size > qemu_real_host_page_size */ - p = mmap(g2h(start), host_len, prot, + p = mmap(g2h(start), host_len, host_prot, flags | MAP_FIXED | MAP_ANONYMOUS, -1, 0); - if (p == MAP_FAILED) + if (p == MAP_FAILED) { goto fail; + } /* update start so that it points to the file position at 'offset' */ host_start = (unsigned long)p; if (!(flags & MAP_ANONYMOUS)) { - p = mmap(g2h(start), len, prot, + p = mmap(g2h(start), len, host_prot, flags | MAP_FIXED, fd, host_offset); if (p == MAP_FAILED) { munmap(g2h(start), host_len); @@ -479,19 +519,19 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, /* msync() won't work here, so we return an error if write is possible while it is a shared mapping */ if ((flags & MAP_TYPE) == MAP_SHARED && - (prot & PROT_WRITE)) { + (host_prot & PROT_WRITE)) { errno = EINVAL; goto fail; } - retaddr = target_mmap(start, len, prot | PROT_WRITE, + retaddr = target_mmap(start, len, target_prot | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (retaddr == -1) goto fail; if (pread(fd, g2h(start), len, offset) == -1) goto fail; - if (!(prot & PROT_WRITE)) { - ret = target_mprotect(start, len, prot); + if (!(host_prot & PROT_WRITE)) { + ret = target_mprotect(start, len, target_prot); assert(ret == 0); } goto the_end; @@ -502,13 +542,13 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, if (real_end == real_start + qemu_host_page_size) { /* one single host page */ ret = mmap_frag(real_start, start, end, - prot, flags, fd, offset); + host_prot, flags, fd, offset); if (ret == -1) goto fail; goto the_end1; } ret = mmap_frag(real_start, start, real_start + qemu_host_page_size, - prot, flags, fd, offset); + host_prot, flags, fd, offset); if (ret == -1) goto fail; real_start += qemu_host_page_size; @@ -517,7 +557,7 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, if (end < real_end) { ret = mmap_frag(real_end - qemu_host_page_size, real_end - qemu_host_page_size, end, - prot, flags, fd, + host_prot, flags, fd, offset + real_end - qemu_host_page_size - start); if (ret == -1) goto fail; @@ -533,13 +573,13 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, else offset1 = offset + real_start - start; p = mmap(g2h(real_start), real_end - real_start, - prot, flags, fd, offset1); + host_prot, flags, fd, offset1); if (p == MAP_FAILED) goto fail; } } the_end1: - page_set_flags(start, start + len, prot | PAGE_VALID); + page_set_flags(start, start + len, page_flags); the_end: trace_target_mmap_complete(start); if (qemu_loglevel_mask(CPU_LOG_PAGE)) { -- 2.26.2