From 38138fab93584ad3560ddfcd70efbd5bb6b4a6f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alex=20Benn=C3=A9e?= Date: Mon, 30 Jul 2018 14:43:20 +0100 Subject: [PATCH 1/3] linux-user/mmap.c: handle invalid len maps correctly MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I've slightly re-organised the check to more closely match the sequence that the kernel uses in do_mmap(). We check for both the zero case (EINVAL) and the overflow length case (ENOMEM). Signed-off-by: Alex Bennée Cc: umarcor <1783362@bugs.launchpad.net> Reviewed-by: Laurent Vivier Message-Id: <20180730134321.19898-2-alex.bennee@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/mmap.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/linux-user/mmap.c b/linux-user/mmap.c index d0c50e4888..41e0983ce8 100644 --- a/linux-user/mmap.c +++ b/linux-user/mmap.c @@ -391,14 +391,23 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, } #endif + if (!len) { + errno = EINVAL; + goto fail; + } + + /* Also check for overflows... */ + len = TARGET_PAGE_ALIGN(len); + if (!len) { + errno = ENOMEM; + goto fail; + } + if (offset & ~TARGET_PAGE_MASK) { errno = EINVAL; goto fail; } - len = TARGET_PAGE_ALIGN(len); - if (len == 0) - goto the_end; real_start = start & qemu_host_page_mask; host_offset = offset & qemu_host_page_mask; From 28cbb997d66e4d1904a231bef1ce15c2cbb6bf73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alex=20Benn=C3=A9e?= Date: Mon, 30 Jul 2018 14:43:21 +0100 Subject: [PATCH 2/3] tests: add check_invalid_maps to test-mmap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This adds a test to make sure we fail properly for a 0 length mmap. There are most likely other failure conditions we should also check. Signed-off-by: Alex Bennée Reviewed-by: Richard Henderson Cc: umarcor <1783362@bugs.launchpad.net> Message-Id: <20180730134321.19898-3-alex.bennee@linaro.org> Signed-off-by: Laurent Vivier --- tests/tcg/multiarch/test-mmap.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/tests/tcg/multiarch/test-mmap.c b/tests/tcg/multiarch/test-mmap.c index 5c0afe6e49..11d0e777b1 100644 --- a/tests/tcg/multiarch/test-mmap.c +++ b/tests/tcg/multiarch/test-mmap.c @@ -27,7 +27,7 @@ #include #include #include - +#include #include #define D(x) @@ -435,6 +435,25 @@ void checked_write(int fd, const void *buf, size_t count) fail_unless(rc == count); } +void check_invalid_mmaps(void) +{ + unsigned char *addr; + + /* Attempt to map a zero length page. */ + addr = mmap(NULL, 0, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + fprintf(stdout, "%s addr=%p", __func__, (void *)addr); + fail_unless(addr == MAP_FAILED); + fail_unless(errno == EINVAL); + + /* Attempt to map a over length page. */ + addr = mmap(NULL, -4, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + fprintf(stdout, "%s addr=%p", __func__, (void *)addr); + fail_unless(addr == MAP_FAILED); + fail_unless(errno == ENOMEM); + + fprintf(stdout, " passed\n"); +} + int main(int argc, char **argv) { char tempname[] = "/tmp/.cmmapXXXXXX"; @@ -476,6 +495,7 @@ int main(int argc, char **argv) check_file_fixed_mmaps(); check_file_fixed_eof_mmaps(); check_file_unfixed_eof_mmaps(); + check_invalid_mmaps(); /* Fails at the moment. */ /* check_aligned_anonymous_fixed_mmaps_collide_with_host(); */ From 5d9f3ea0817215ad4baac5aa30414e9ebbaaf0d6 Mon Sep 17 00:00:00 2001 From: Shivaprasad G Bhat Date: Tue, 31 Jul 2018 11:12:24 +0530 Subject: [PATCH 3/3] linux-user: ppc64: don't use volatile register during safe_syscall r11 is a volatile register on PPC as per calling conventions. The safe_syscall code uses it to check if the signal_pending is set during the safe_syscall. When a syscall is interrupted on return from signal handling, the r11 might be corrupted before we retry the syscall leading to a crash. The registers r0-r13 are not to be used here as they have volatile/designated/reserved usages. Change the code to use r14 which is non-volatile. Use SP+16 which is a slot for LR, for save/restore of previous value of r14. SP+16 can be used, as LR is preserved across the syscall. Steps to reproduce: On PPC host, issue `qemu-x86_64 /usr/bin/cc -E -` Attempt Ctrl-C, the issue is reproduced. Reference: https://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi-1.9.html#REG https://openpowerfoundation.org/wp-content/uploads/2016/03/ABI64BitOpenPOWERv1.1_16July2015_pub4.pdf Signed-off-by: Shivaprasad G Bhat Tested-by: Richard Henderson Tested-by: Laurent Vivier Reviewed-by: Richard Henderson Reviewed-by: Laurent Vivier Message-Id: <153301568965.30312.10498134581068746871.stgit@dhcp-9-109-246-16> Signed-off-by: Laurent Vivier --- linux-user/host/ppc64/safe-syscall.inc.S | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/linux-user/host/ppc64/safe-syscall.inc.S b/linux-user/host/ppc64/safe-syscall.inc.S index d30050a67c..8ed73a5b86 100644 --- a/linux-user/host/ppc64/safe-syscall.inc.S +++ b/linux-user/host/ppc64/safe-syscall.inc.S @@ -49,7 +49,9 @@ safe_syscall_base: * and returns the result in r3 * Shuffle everything around appropriately. */ - mr 11, 3 /* signal_pending */ + std 14, 16(1) /* Preserve r14 in SP+16 */ + .cfi_offset 14, 16 + mr 14, 3 /* signal_pending */ mr 0, 4 /* syscall number */ mr 3, 5 /* syscall arguments */ mr 4, 6 @@ -67,12 +69,13 @@ safe_syscall_base: */ safe_syscall_start: /* if signal_pending is non-zero, don't do the call */ - lwz 12, 0(11) + lwz 12, 0(14) cmpwi 0, 12, 0 bne- 0f sc safe_syscall_end: /* code path when we did execute the syscall */ + ld 14, 16(1) /* restore r14 to its original value */ bnslr+ /* syscall failed; return negative errno */ @@ -81,6 +84,7 @@ safe_syscall_end: /* code path when we didn't execute the syscall */ 0: addi 3, 0, -TARGET_ERESTARTSYS + ld 14, 16(1) /* restore r14 to its orginal value */ blr .cfi_endproc