From: Helge Deller <deller@gmx.de>
To: "Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Peter Maydell" <peter.maydell@linaro.org>
Cc: Laurent Vivier <laurent@vivier.eu>,
qemu-devel@nongnu.org,
Richard Henderson <richard.henderson@linaro.org>,
Michael Tokarev <mjt@tls.msk.ru>
Subject: Re: [PATCH 4/6] linux-user: Fix signed math overflow in brk() syscall
Date: Tue, 18 Jul 2023 20:18:37 +0200 [thread overview]
Message-ID: <dffa87cd-15a4-a064-5c0d-d02a8c3412b9@gmx.de> (raw)
In-Reply-To: <238b4fcf-b7ff-f89f-187e-7c52dd6b782f@linaro.org>
On 7/18/23 00:02, Philippe Mathieu-Daudé wrote:
> On 17/7/23 23:35, Helge Deller wrote:
>> Fix the math overflow when calculating the new_malloc_size.
>>
>> new_host_brk_page and brk_page are unsigned integers. If userspace
>> reduces the heap, new_host_brk_page is lower than brk_page which results
>> in a huge positive number (but should actually be negative).
>>
>> Fix it by adding a proper check and as such make the code more readable.
>>
>> Signed-off-by: Helge Deller <deller@gmx.de>
>> Tested-by: Markus F.X.J. Oberhumer <notifications@github.com>
>
> Tested-by: Markus F.X.J. Oberhumer <markus@oberhumer.com>
Ok.
>> Fixes: 86f04735ac ("linux-user: Fix brk() to release pages")
>
> Hmm isn't it:
>
> Fixes: ef4330c23b ("linux-user: Handle brk() attempts with very large sizes")
It's really 86f04735ac because this one introduced freeing of memory which
can lead to new_host_brk_page becoming smaller than brk_page.
>> Buglink: https://github.com/upx/upx/issues/683
>
> Also:
>
> Cc: qemu-stable@nongnu.org
Yep.
>
>> ---
>> linux-user/syscall.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
>> index 92d146f8fb..aa906bedcc 100644
>> --- a/linux-user/syscall.c
>> +++ b/linux-user/syscall.c
>> @@ -860,12 +860,13 @@ abi_long do_brk(abi_ulong brk_val)
>> * itself); instead we treat "mapped but at wrong address" as
>> * a failure and unmap again.
>> */
>> - new_alloc_size = new_host_brk_page - brk_page;
>> - if (new_alloc_size) {
>> + if (new_host_brk_page > brk_page) {
>> + new_alloc_size = new_host_brk_page - brk_page;
>> mapped_addr = get_errno(target_mmap(brk_page, new_alloc_size,
>> PROT_READ|PROT_WRITE,
>> MAP_ANON|MAP_PRIVATE, 0, 0));
>> } else {
>> + new_alloc_size = 0;
>> mapped_addr = brk_page;
>> }
>>
>> --
>> 2.41.0
>
> Alternatively:
>
> -- >8 --
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 1464151826..aafb13f3b4 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -814,7 +814,7 @@ void target_set_brk(abi_ulong new_brk)
> abi_long do_brk(abi_ulong brk_val)
> {
> abi_long mapped_addr;
> - abi_ulong new_alloc_size;
> + abi_long new_alloc_size;
> abi_ulong new_brk, new_host_brk_page;
>
> /* brk pointers are always untagged */
> @@ -857,8 +857,8 @@ abi_long do_brk(abi_ulong brk_val)
> * a failure and unmap again.
> */
> new_alloc_size = new_host_brk_page - brk_page;
> - if (new_alloc_size) {
> - mapped_addr = get_errno(target_mmap(brk_page, new_alloc_size,
> + if (new_alloc_size > 0) {
> + mapped_addr = get_errno(target_mmap(brk_page, (abi_ulong)new_alloc_size,
> PROT_READ|PROT_WRITE,
> MAP_ANON|MAP_PRIVATE, 0, 0));
> } else {
possible, but I like my patch more.
> Anyhow,
>
> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Thanks!
Helge
next prev parent reply other threads:[~2023-07-18 18:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-17 21:35 [PATCH 0/6] linux-user: brk() syscall fixes and armhf static binary fix Helge Deller
2023-07-17 21:35 ` [PATCH 1/6] Revert "linux-user: Make sure initial brk(0) is page-aligned" Helge Deller
2023-07-18 13:53 ` Andreas Schwab
2023-07-18 15:47 ` Helge Deller
2023-07-17 21:35 ` [PATCH 2/6] linux-user: Fix qemu brk() to not zero bytes on current page Helge Deller
2023-07-17 21:35 ` [PATCH 3/6] linux-user: Prohibit brk() to to shrink below initial heap address Helge Deller
2023-07-17 21:35 ` [PATCH 4/6] linux-user: Fix signed math overflow in brk() syscall Helge Deller
2023-07-17 22:02 ` Philippe Mathieu-Daudé
2023-07-18 18:18 ` Helge Deller [this message]
2023-07-17 21:35 ` [PATCH 5/6] linux-user: Fix strace output for old_mmap Helge Deller
2023-07-17 21:35 ` [PATCH 6/6] linux-user: Fix qemu-arm to run static armhf binaries Helge Deller
2023-07-18 4:19 ` Michael Tokarev
2023-07-17 21:43 ` [PATCH 0/6] linux-user: brk() syscall fixes and armhf static binary fix Philippe Mathieu-Daudé
2023-07-18 3:03 ` Song Gao
2023-07-18 5:42 ` Helge Deller
2023-07-18 7:25 ` Song Gao
2023-07-18 8:30 ` Michael Tokarev
2023-07-19 11:39 ` Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dffa87cd-15a4-a064-5c0d-d02a8c3412b9@gmx.de \
--to=deller@gmx.de \
--cc=laurent@vivier.eu \
--cc=mjt@tls.msk.ru \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).