[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 4/6] linux-user: Fix signed math overflow in brk() syscall
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
Re: [PATCH 4/6] linux-user: Fix signed math overflow in brk() syscall |
|
Date: |
Tue, 18 Jul 2023 00:02:52 +0200 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 |
On 17/7/23 23:35, Helge Deller wrote:
Fix the math overflow when calculating the new_malloc_size.
new_host_brk_page and brk_page are unsigned integers. If userspace
reduces the heap, new_host_brk_page is lower than brk_page which results
in a huge positive number (but should actually be negative).
Fix it by adding a proper check and as such make the code more readable.
Signed-off-by: Helge Deller <deller@gmx.de>
Tested-by: Markus F.X.J. Oberhumer <notifications@github.com>
Tested-by: Markus F.X.J. Oberhumer <markus@oberhumer.com>
Fixes: 86f04735ac ("linux-user: Fix brk() to release pages")
Hmm isn't it:
Fixes: ef4330c23b ("linux-user: Handle brk() attempts with very large
sizes")
?
Buglink: https://github.com/upx/upx/issues/683
Also:
Cc: qemu-stable@nongnu.org
---
linux-user/syscall.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 92d146f8fb..aa906bedcc 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -860,12 +860,13 @@ abi_long do_brk(abi_ulong brk_val)
* itself); instead we treat "mapped but at wrong address" as
* a failure and unmap again.
*/
- new_alloc_size = new_host_brk_page - brk_page;
- if (new_alloc_size) {
+ if (new_host_brk_page > brk_page) {
+ new_alloc_size = new_host_brk_page - brk_page;
mapped_addr = get_errno(target_mmap(brk_page, new_alloc_size,
PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, 0, 0));
} else {
+ new_alloc_size = 0;
mapped_addr = brk_page;
}
--
2.41.0
Alternatively:
-- >8 --
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 1464151826..aafb13f3b4 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -814,7 +814,7 @@ void target_set_brk(abi_ulong new_brk)
abi_long do_brk(abi_ulong brk_val)
{
abi_long mapped_addr;
- abi_ulong new_alloc_size;
+ abi_long new_alloc_size;
abi_ulong new_brk, new_host_brk_page;
/* brk pointers are always untagged */
@@ -857,8 +857,8 @@ abi_long do_brk(abi_ulong brk_val)
* a failure and unmap again.
*/
new_alloc_size = new_host_brk_page - brk_page;
- if (new_alloc_size) {
- mapped_addr = get_errno(target_mmap(brk_page, new_alloc_size,
+ if (new_alloc_size > 0) {
+ mapped_addr = get_errno(target_mmap(brk_page,
(abi_ulong)new_alloc_size,
PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, 0, 0));
} else {
---
Anyhow,
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Thanks!
Phil.
- [PATCH 0/6] linux-user: brk() syscall fixes and armhf static binary fix, Helge Deller, 2023/07/17
- [PATCH 1/6] Revert "linux-user: Make sure initial brk(0) is page-aligned", Helge Deller, 2023/07/17
- [PATCH 2/6] linux-user: Fix qemu brk() to not zero bytes on current page, Helge Deller, 2023/07/17
- [PATCH 3/6] linux-user: Prohibit brk() to to shrink below initial heap address, Helge Deller, 2023/07/17
- [PATCH 4/6] linux-user: Fix signed math overflow in brk() syscall, Helge Deller, 2023/07/17
- Re: [PATCH 4/6] linux-user: Fix signed math overflow in brk() syscall,
Philippe Mathieu-Daudé <=
- [PATCH 5/6] linux-user: Fix strace output for old_mmap, Helge Deller, 2023/07/17
- [PATCH 6/6] linux-user: Fix qemu-arm to run static armhf binaries, Helge Deller, 2023/07/17
- Re: [PATCH 0/6] linux-user: brk() syscall fixes and armhf static binary fix, Philippe Mathieu-Daudé, 2023/07/17
- Re: [PATCH 0/6] linux-user: brk() syscall fixes and armhf static binary fix, Song Gao, 2023/07/17