[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] linux-user/mmap.c: fix integer underflow in target_mremap
|
From: |
Laurent Vivier |
|
Subject: |
Re: [PATCH] linux-user/mmap.c: fix integer underflow in target_mremap |
|
Date: |
Thu, 28 May 2020 11:35:47 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 |
Le 02/05/2020 à 18:12, Jonathan Marler a écrit :
> Fixes: https://bugs.launchpad.net/bugs/1876373
>
> This code path in mmap occurs when a page size is decreased with mremap.
> When a section of pages is shrunk, qemu calls mmap_reserve on the pages that
> were released. However, it has the diff operation reversed, subtracting the
> larger old_size from the smaller new_size. Instead, it should be subtracting
> the smaller new_size from the larger old_size. You can also see in the
> previous line of the change that this mmap_reserve call only occurs when
> old_size > new_size.
>
> Signed-off-by: Jonathan Marler <johnnymarler@gmail.com>
> ---
> linux-user/mmap.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/linux-user/mmap.c b/linux-user/mmap.c
> index e378033797..caab62909e 100644
> --- a/linux-user/mmap.c
> +++ b/linux-user/mmap.c
> @@ -708,7 +708,7 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong
> old_size,
> if (prot == 0) {
> host_addr = mremap(g2h(old_addr), old_size, new_size, flags);
> if (host_addr != MAP_FAILED && reserved_va && old_size >
> new_size) {
> - mmap_reserve(old_addr + old_size, new_size - old_size);
> + mmap_reserve(old_addr + old_size, old_size - new_size);
> }
> } else {
> errno = ENOMEM;
>
Applied to my linux-user branch.
Thanks,
Laurent
Re: [PATCH] linux-user/mmap.c: fix integer underflow in target_mremap, Laurent Vivier, 2020/05/28
Re: [PATCH] linux-user/mmap.c: fix integer underflow in target_mremap,
Laurent Vivier <=