From patchwork Tue Jul 31 08:42:01 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Laurent Vivier <laurent@vivier.eu>
X-Patchwork-Id: 143177
Delivered-To: patch@linaro.org
Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp5063393ljj;
 Tue, 31 Jul 2018 01:43:32 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpcBZbwPnGw/JCS0FbAG9AhqCSNGQPEl1F+ndXYr1YS0sU5foiBS2V5leeCc2WXDEVgAVUzN
X-Received: by 2002:a37:a816:: with SMTP id
 r22-v6mr19024134qke.54.1533026612665; 
 Tue, 31 Jul 2018 01:43:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1533026612; cv=none;
 d=google.com; s=arc-20160816;
 b=TUoUULXVbaGgV7Om5F9kGv4b2P4UedBL5kT3rKeDua9bGbxwa9pN+T+cGnEZqxIVl6
 RwRj1WFKdEG8Fyz/ksMtRi8/eVqZTSZiGl5ddE3hF2fvr7GBNhtKS4rwdqkJK5RLh2ti
 636v0QaM1lpi9gB4ZPzZ0DHc/uoF4mywoxJxDDAe3JVFtfAARaHGTUmO2y+0+9GS1lQA
 40MyBPkE8mTmRsgD5LZI1X24pyJNKtV46um/uuo0qv87cq0FYOiian+bXOa/wRUv5Sa8
 3uF6+Qjaa+5ZtokOpIedDs/R4pJr7OuBC579LKaOb1+vLQBFozdTBNRKXBQCYrLumqAd
 U/Ow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject
 :content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:to:from:arc-authentication-results;
 bh=1DcgYkq3TOJHynIuoeVFLp5HwmJaTqajCSAoiv8OltU=;
 b=BbFSOn/HDiESq+i27Xi0kl3Q/Q7N2FlIGklitwxyf+J56ktmarrmHQzj0KvTCu3CMP
 YxNdZEmb1zXrw3BGZidnXgDJbti97yau5ZVHD2Wbo9F67Y1cs95BgNxefI0VfjRDHdVG
 W8pfjjrytRqklyOMQxhAiD0iRk/yYIrCeNW17u/yjXhAUPJT8g4OzVJlDyTyn6PxjrFi
 INs453oP79G5Hrva2jl10nI7OAOydLJakUqm8/WGqOj7nPB3ssl7Ux/tJzICGr638o8n
 S5fOVHNCt+Gr3Q4ne72dG1Arc68kLbo586zBKcz2GwwMy6P1u9hHrev+6tKlorkSbgLM
 kkhA==
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11])
 by mx.google.com with ESMTPS id
 o19-v6si974428qtf.274.2018.07.31.01.43.32 for <patch@linaro.org>
 (version=TLS1 cipher=AES128-SHA bits=128/128);
 Tue, 31 Jul 2018 01:43:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 client-ip=2001:4830:134:3::11; 
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1]:57624 helo=lists.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <qemu-devel-bounces+patch=linaro.org@nongnu.org>)
 id 1fkQFg-0003Sl-4X
 for patch@linaro.org; Tue, 31 Jul 2018 04:43:32 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37609)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <laurent@vivier.eu>) id 1fkQFD-0003QX-Ej
 for qemu-devel@nongnu.org; Tue, 31 Jul 2018 04:43:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <laurent@vivier.eu>) id 1fkQFA-0006et-0L
 for qemu-devel@nongnu.org; Tue, 31 Jul 2018 04:43:03 -0400
Received: from mout.kundenserver.de ([212.227.126.187]:38217)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <laurent@vivier.eu>) id 1fkQF9-0006di-NN
 for qemu-devel@nongnu.org; Tue, 31 Jul 2018 04:42:59 -0400
Received: from localhost.localdomain ([78.238.229.36]) by
 mrelayeu.kundenserver.de (mreue007 [212.227.15.167]) with ESMTPSA
 (Nemesis)
 id 0Ln0mX-1gRlKw2hnZ-00hJRF; Tue, 31 Jul 2018 10:42:19 +0200
From: Laurent Vivier <laurent@vivier.eu>
To: qemu-devel@nongnu.org
Date: Tue, 31 Jul 2018 10:42:01 +0200
Message-Id: <20180731084203.29959-2-laurent@vivier.eu>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180731084203.29959-1-laurent@vivier.eu>
References: <20180731084203.29959-1-laurent@vivier.eu>
MIME-Version: 1.0
X-Provags-ID: V03:K1:AYph8q12/f2lP2Jnrh1mxlkrPuDAetQ+FXH/BGYWE/xZTHZ5OWN
 t70Ily+YohzXNa+V3nAmmww8GpNgIieYT4pboA5r5rX42gfNPz89cwVP/QRCIFJyqkOzwjl
 ItXbzqjNo19wjmeRp0uzigF4mkzYDYkj3r0ohJADWw4OWq1ECAbROvKiSf5fTXXen59hOHs
 YLqEZjwhb3lqHpAXvT+6Q==
X-UI-Out-Filterresults: notjunk:1; V01:K0:CNmPF70UGZg=:xf5bIuZzSW8OetEABtl4Ql
 z//MX9G1JUESOuL3YlYrf1oZMIbHmm8K6dd8/+MypyPrwsiOrKvQXnmlGZDXfhoriefbysgEs
 6XcPCOWkTPtCDuYe4fwbG+t14mDgzAQTwu/rrSLP/1CvVFmyd0vrvqy8PZZUHfuCX5pQkYn3W
 I5AfyveIYc9uStocMiiFCEiBWJ4oLfJ5qbf+j0Ds0y8xfPdi2v03it9pP7OmoV2t3rpPr1CXs
 KejpHofQPPuzwjGHCRfOmkVcBC5hGiiyXvRO43UdvyZ8EO7Q2JOPBwbGuoOe5/qbWSOPve5Fk
 DaPvdurTh9IDUHn/sKKP3DsfBsH9z7xX+Gou7NSWOhhH3sCK887GUQvbtQcGX7mYDftWSdDwY
 SozxMRTOe8CzPERgR2fa/HvJrkls5qIQ++fAkDcQaFqql+NF7cFpVfGt1rb3gPBcjhbeZV72D
 iEGiU/vGojZPyYLB/zrtoqeLYDBWgUkPO8gnsrjuouytNSNSzRKtg0mfwSvMpDjMeQ/MhHAEY
 J/KG+PIWy0CR6Ei8Sw9x54U2OcsYDrsW+XcQDFTDuENTqPNtEdmdGc62GTQ/OkaJ5S+tNyYME
 mHz/Dhy0YOkOFI/42NHNPvepwoZ/wyUvi+m3cVkOMMXWPn9eVRFW6Q0MQqvysqWHppgPpmg5E
 rUvv5sNdkv/R944xzT0Q07e6qpv+80IiD/620ufDgI+6b41+EeubaBv7p1DF26IhWiCYmAlIA
 ZSCmdBnBcNM91JsG
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 212.227.126.187
Subject: [Qemu-devel] [PULL 1/3] linux-user/mmap.c: handle invalid len maps
 correctly
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: umarcor <1783362@bugs.launchpad.net>, Riku Voipio <riku.voipio@iki.fi>,
 =?utf-8?q?Alex_Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Laurent Vivier <laurent@vivier.eu>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+patch=linaro.org@nongnu.org>

From: Alex Bennée <alex.bennee@linaro.org>

I've slightly re-organised the check to more closely match the
sequence that the kernel uses in do_mmap(). We check for both the zero
case (EINVAL) and the overflow length case (ENOMEM).

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: umarcor <1783362@bugs.launchpad.net>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20180730134321.19898-2-alex.bennee@linaro.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
 linux-user/mmap.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

-- 
2.17.1

diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index d0c50e4888..41e0983ce8 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -391,14 +391,23 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
     }
 #endif
 
-    if (offset & ~TARGET_PAGE_MASK) {
+    if (!len) {
         errno = EINVAL;
         goto fail;
     }
 
+    /* Also check for overflows... */
     len = TARGET_PAGE_ALIGN(len);
-    if (len == 0)
-        goto the_end;
+    if (!len) {
+        errno = ENOMEM;
+        goto fail;
+    }
+
+    if (offset & ~TARGET_PAGE_MASK) {
+        errno = EINVAL;
+        goto fail;
+    }
+
     real_start = start & qemu_host_page_mask;
     host_offset = offset & qemu_host_page_mask;