From patchwork Sat Mar 13 09:47:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 1452479 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DyHv41jgpz9sW5 for ; Sat, 13 Mar 2021 20:48:47 +1100 (AEDT) Received: from localhost ([::1]:40672 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lL0t3-0007E1-GD for incoming@patchwork.ozlabs.org; Sat, 13 Mar 2021 04:48:45 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34018) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lL0sU-0007BR-3j for qemu-devel@nongnu.org; Sat, 13 Mar 2021 04:48:10 -0500 Received: from mout.kundenserver.de ([212.227.17.24]:52201) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lL0sG-00075s-AZ for qemu-devel@nongnu.org; Sat, 13 Mar 2021 04:48:09 -0500 Received: from localhost.localdomain ([82.142.6.26]) by mrelayeu.kundenserver.de (mreue106 [212.227.15.183]) with ESMTPSA (Nemesis) id 1M27ix-1lJ53x1Luj-002Tvz; Sat, 13 Mar 2021 10:47:52 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Subject: [PULL 3/5] linux-user/elfload: munmap proper address in pgd_find_hole_fallback Date: Sat, 13 Mar 2021 10:47:45 +0100 Message-Id: <20210313094747.2966948-4-laurent@vivier.eu> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210313094747.2966948-1-laurent@vivier.eu> References: <20210313094747.2966948-1-laurent@vivier.eu> MIME-Version: 1.0 X-Provags-ID: V03:K1:ARPqbZM7H4YlmUK/sMpbATnHDzHRqg7ulXMGpTkzgiXqmGdYIef ojC291BX4+K6K98BABMRZMb1ag+VUyyyySRJJF067SzF2LxiG8orxL1xSIjHZV4xoadLTy1 AuoJHr1iGQ0XwrB4fHeEb5i0N1PggruSNbS476ohOjOd5P0MCuJTkEZAtoAuS28SlJMUGg8 dSZePlqgopn8ZIHpEguiw== X-UI-Out-Filterresults: notjunk:1;V03:K0:ajBkhAo/r94=:ff1BMVkCQbI/FbsUILc3+2 ofHpyx+MS7qTyOiPka5OArG4HawsFuL2gkFGk+qPB9m5ngcZHhOQqBqzYJY4PpKQ8hEQFaBCT 08ZSj0z38+z5l1CYie7wIuFHgfBsSBr1kUqmaQCybAfbX6YGr3bVEqIIYui2uioJVUwW6fgLq OQg4tL6WESmLXghlZUqtjMK8mp+qX7UdN4TZeJ4DuTkHurMzVScxCIFaFgKg0y1Lb0i3A7itw 9LiGyspjafUuq964CoggA15WF7gtkDRb3Ylqzdx5B06hl9SQFj3G98kXPWQR89Hspi7nj4n09 O5W6c1e0sdnVS7N0OLuakTcYjDUDltqrJANFVLP1jbc4bY5mjYIWruWgrFdOHwtBz9GS5LzCB MHo/3zMQrp318CGkpAH1sogpSeb4nnDrNFdJd2YdrF87eb625xCeKHLuZAI9dolGiehRWtg/j 4v0pskpi1w== Received-SPF: none client-ip=212.227.17.24; envelope-from=laurent@vivier.eu; helo=mout.kundenserver.de X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Alex_Benn=C3=A9e?= , Laurent Vivier , Vincent Fazio Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Vincent Fazio Previously, if the build host's libc did not define MAP_FIXED_NOREPLACE or if the running kernel didn't support that flag, it was possible for pgd_find_hole_fallback to munmap an incorrect address which could lead to SIGSEGV if the range happened to overlap with the mapped address of the QEMU binary. mmap(0x1000, 22261224, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f889d331000 munmap(0x1000, 22261224) = 0 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x84b817} --- ++ killed by SIGSEGV +++ Now, always munmap the address returned by mmap. Fixes: 2667e069e7b5 ("linux-user: don't use MAP_FIXED in pgd_find_hole_fallback") Signed-off-by: Vincent Fazio Reviewed-by: Laurent Vivier Reviewed-by: Alex Bennée Message-Id: <20210131061849.12615-1-vfazio@xes-inc.com> Signed-off-by: Laurent Vivier --- linux-user/elfload.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux-user/elfload.c b/linux-user/elfload.c index 140a9716324d..174ee7bad677 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -2209,7 +2209,7 @@ static uintptr_t pgd_find_hole_fallback(uintptr_t guest_size, uintptr_t brk, void * mmap_start = mmap((void *) align_start, guest_size, PROT_NONE, flags, -1, 0); if (mmap_start != MAP_FAILED) { - munmap((void *) align_start, guest_size); + munmap(mmap_start, guest_size); if (MAP_FIXED_NOREPLACE != 0 || mmap_start == (void *) align_start) { return (uintptr_t) mmap_start + offset;