From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: Helge Deller <deller@gmx.de>, Peter Maydell <peter.maydell@linaro.org>
Cc: Laurent Vivier <laurent@vivier.eu>,
qemu-devel@nongnu.org,
Richard Henderson <richard.henderson@linaro.org>,
Michael Tokarev <mjt@tls.msk.ru>
Subject: Re: [PATCH 4/6] linux-user: Fix signed math overflow in brk() syscall
Date: Tue, 18 Jul 2023 00:02:52 +0200 [thread overview]
Message-ID: <238b4fcf-b7ff-f89f-187e-7c52dd6b782f@linaro.org> (raw)
In-Reply-To: <20230717213545.142598-5-deller@gmx.de>
On 17/7/23 23:35, Helge Deller wrote:
> Fix the math overflow when calculating the new_malloc_size.
>
> new_host_brk_page and brk_page are unsigned integers. If userspace
> reduces the heap, new_host_brk_page is lower than brk_page which results
> in a huge positive number (but should actually be negative).
>
> Fix it by adding a proper check and as such make the code more readable.
>
> Signed-off-by: Helge Deller <deller@gmx.de>
> Tested-by: Markus F.X.J. Oberhumer <notifications@github.com>
Tested-by: Markus F.X.J. Oberhumer <markus@oberhumer.com>
> Fixes: 86f04735ac ("linux-user: Fix brk() to release pages")
Hmm isn't it:
Fixes: ef4330c23b ("linux-user: Handle brk() attempts with very large
sizes")
?
> Buglink: https://github.com/upx/upx/issues/683
Also:
Cc: qemu-stable@nongnu.org
> ---
> linux-user/syscall.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 92d146f8fb..aa906bedcc 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -860,12 +860,13 @@ abi_long do_brk(abi_ulong brk_val)
> * itself); instead we treat "mapped but at wrong address" as
> * a failure and unmap again.
> */
> - new_alloc_size = new_host_brk_page - brk_page;
> - if (new_alloc_size) {
> + if (new_host_brk_page > brk_page) {
> + new_alloc_size = new_host_brk_page - brk_page;
> mapped_addr = get_errno(target_mmap(brk_page, new_alloc_size,
> PROT_READ|PROT_WRITE,
> MAP_ANON|MAP_PRIVATE, 0, 0));
> } else {
> + new_alloc_size = 0;
> mapped_addr = brk_page;
> }
>
> --
> 2.41.0
Alternatively:
-- >8 --
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 1464151826..aafb13f3b4 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -814,7 +814,7 @@ void target_set_brk(abi_ulong new_brk)
abi_long do_brk(abi_ulong brk_val)
{
abi_long mapped_addr;
- abi_ulong new_alloc_size;
+ abi_long new_alloc_size;
abi_ulong new_brk, new_host_brk_page;
/* brk pointers are always untagged */
@@ -857,8 +857,8 @@ abi_long do_brk(abi_ulong brk_val)
* a failure and unmap again.
*/
new_alloc_size = new_host_brk_page - brk_page;
- if (new_alloc_size) {
- mapped_addr = get_errno(target_mmap(brk_page, new_alloc_size,
+ if (new_alloc_size > 0) {
+ mapped_addr = get_errno(target_mmap(brk_page,
(abi_ulong)new_alloc_size,
PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, 0, 0));
} else {
---
Anyhow,
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Thanks!
Phil.
next prev parent reply other threads:[~2023-07-17 22:03 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-17 21:35 [PATCH 0/6] linux-user: brk() syscall fixes and armhf static binary fix Helge Deller
2023-07-17 21:35 ` [PATCH 1/6] Revert "linux-user: Make sure initial brk(0) is page-aligned" Helge Deller
2023-07-18 13:53 ` Andreas Schwab
2023-07-18 15:47 ` Helge Deller
2023-07-17 21:35 ` [PATCH 2/6] linux-user: Fix qemu brk() to not zero bytes on current page Helge Deller
2023-07-17 21:35 ` [PATCH 3/6] linux-user: Prohibit brk() to to shrink below initial heap address Helge Deller
2023-07-17 21:35 ` [PATCH 4/6] linux-user: Fix signed math overflow in brk() syscall Helge Deller
2023-07-17 22:02 ` Philippe Mathieu-Daudé [this message]
2023-07-18 18:18 ` Helge Deller
2023-07-17 21:35 ` [PATCH 5/6] linux-user: Fix strace output for old_mmap Helge Deller
2023-07-17 21:35 ` [PATCH 6/6] linux-user: Fix qemu-arm to run static armhf binaries Helge Deller
2023-07-18 4:19 ` Michael Tokarev
2023-07-17 21:43 ` [PATCH 0/6] linux-user: brk() syscall fixes and armhf static binary fix Philippe Mathieu-Daudé
2023-07-18 3:03 ` Song Gao
2023-07-18 5:42 ` Helge Deller
2023-07-18 7:25 ` Song Gao
2023-07-18 8:30 ` Michael Tokarev
2023-07-19 11:39 ` Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=238b4fcf-b7ff-f89f-187e-7c52dd6b782f@linaro.org \
--to=philmd@linaro.org \
--cc=deller@gmx.de \
--cc=laurent@vivier.eu \
--cc=mjt@tls.msk.ru \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).