qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Laurent Vivier <laurent@vivier.eu>
To: qemu-devel@nongnu.org
Cc: Tobias Koch <tobias.koch@nonterra.com>,
	Laurent Vivier <laurent@vivier.eu>
Subject: [PULL 01/14] linux-user/mmap.c: check range of mremap result in target address space
Date: Fri, 18 Dec 2020 11:23:54 +0100	[thread overview]
Message-ID: <20201218102407.597566-2-laurent@vivier.eu> (raw)
In-Reply-To: <20201218102407.597566-1-laurent@vivier.eu>

From: Tobias Koch <tobias.koch@nonterra.com>

If mremap succeeds, an additional check is performed to ensure that the
new address range fits into the target address space. This check was
previously perfomed in host address space, with the upper bound fixed to
abi_ulong.

This patch replaces the static check with a call to `guest_range_valid`,
performing the range check against the actual size of the target address
space. It also moves the corresponding block to prevent it from being
called incorrectly when the mapping itself fails.

Signed-off-by: Tobias Koch <tobias.koch@nonterra.com>
Message-Id: <20201028213833.26592-1-tobias.koch@nonterra.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
 linux-user/mmap.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 00c05e6a0f19..810653c50357 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -767,20 +767,23 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size,
         }
         if (prot == 0) {
             host_addr = mremap(g2h(old_addr), old_size, new_size, flags);
-            if (host_addr != MAP_FAILED && reserved_va && old_size > new_size) {
-                mmap_reserve(old_addr + old_size, old_size - new_size);
+
+            if (host_addr != MAP_FAILED) {
+                /* Check if address fits target address space */
+                if (!guest_range_valid(h2g(host_addr), new_size)) {
+                    /* Revert mremap() changes */
+                    host_addr = mremap(g2h(old_addr), new_size, old_size,
+                                       flags);
+                    errno = ENOMEM;
+                    host_addr = MAP_FAILED;
+                } else if (reserved_va && old_size > new_size) {
+                    mmap_reserve(old_addr + old_size, old_size - new_size);
+                }
             }
         } else {
             errno = ENOMEM;
             host_addr = MAP_FAILED;
         }
-        /* Check if address fits target address space */
-        if ((unsigned long)host_addr + new_size > (abi_ulong)-1) {
-            /* Revert mremap() changes */
-            host_addr = mremap(g2h(old_addr), new_size, old_size, flags);
-            errno = ENOMEM;
-            host_addr = MAP_FAILED;
-        }
     }
 
     if (host_addr == MAP_FAILED) {
-- 
2.29.2



  reply	other threads:[~2020-12-18 10:25 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-18 10:23 [PULL 00/14] Linux user for 6.0 patches Laurent Vivier
2020-12-18 10:23 ` Laurent Vivier [this message]
2020-12-18 10:23 ` [PULL 02/14] linux-user/elfload: Move GET_FEATURE macro out of get_elf_hwcap() body Laurent Vivier
2020-12-18 10:23 ` [PULL 03/14] linux-user/elfload: Rename MIPS GET_FEATURE() as GET_FEATURE_INSN() Laurent Vivier
2020-12-18 10:23 ` [PULL 04/14] linux-user/elfload: Introduce MIPS GET_FEATURE_REG_SET() macro Laurent Vivier
2020-12-18 10:23 ` [PULL 05/14] linux-user/elfload: Introduce MIPS GET_FEATURE_REG_EQU() macro Laurent Vivier
2020-12-18 10:23 ` [PULL 06/14] linux-user/elfload: Update HWCAP bits from linux 5.7 Laurent Vivier
2020-12-18 10:24 ` [PULL 07/14] linux-user: Add support for MIPS Loongson 2F/3A Laurent Vivier
2020-12-18 10:24 ` [PULL 08/14] docs/user: Display linux-user binaries nicely Laurent Vivier
2020-12-18 10:24 ` [PULL 09/14] linux-user: Implement copy_file_range Laurent Vivier
2020-12-18 10:24 ` [PULL 10/14] linux-user: Add most IFTUN ioctls Laurent Vivier
2020-12-18 10:24 ` [PULL 11/14] linux-user/sparc: Correct sparc64_get/set_context() FPU handling Laurent Vivier
2020-12-18 10:24 ` [PULL 12/14] linux-user/sparc: Remove unneeded checks of 'err' from sparc64_get_context() Laurent Vivier
2020-12-18 10:24 ` [PULL 13/14] linux-user/sparc: Don't restore %g7 in sparc64_set_context() Laurent Vivier
2020-12-18 10:24 ` [PULL 14/14] linux-user/sparc: Handle tstate in sparc64_get/set_context() Laurent Vivier
2020-12-31 15:54 ` [PULL 00/14] Linux user for 6.0 patches Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201218102407.597566-2-laurent@vivier.eu \
    --to=laurent@vivier.eu \
    --cc=qemu-devel@nongnu.org \
    --cc=tobias.koch@nonterra.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).