Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20220109060003.GR7074@brightrain.aerifal.cx>
Date: Sun, 9 Jan 2022 01:00:03 -0500
From: Rich Felker <dalias@...c.org>
To: "Minqiang Chen (ptpt52)" <ptpt52@...il.com>
Cc: musl@...ts.openwall.com
Subject: Re: BUG fix: mmap pass wrong offset to kernel

On Tue, Nov 16, 2021 at 11:18:17AM -0500, Rich Felker wrote:
> On Tue, Nov 16, 2021 at 11:56:57AM +0800, Minqiang Chen (ptpt52) wrote:
> > From 146066a9794b8e39c53337b71a8476b86e79e7d4 Mon Sep 17 00:00:00 2001
> > From: Chen Minqiang <ptpt52@...il.com>
> > Date: Mon, 16 Oct 2017 08:57:41 +0800
> > Subject: [PATCH] musl: fix mmap pass wrong offset to kernel
> > 
> > on 32bit platform for example off_t x=0x8d9eb000, the x/4096 result
> > is 0xfff8d9eb, but the sys_mmap2() is expecting 0x8d9eb to be pass to
> > 
> > this happens on 32bit platform or 64bit platform when
> > x > = 0x80000000 (32bit platform)
> > or
> > x > = 0x8000000000000000 (64bit platform)
> > 
> > Signed-off-by: Chen Minqiang <ptpt52@...il.com>
> > ---
> >  src/mman/mmap.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/src/mman/mmap.c b/src/mman/mmap.c
> > index eff88d82..f225cdbb 100644
> > --- a/src/mman/mmap.c
> > +++ b/src/mman/mmap.c
> > @@ -26,7 +26,7 @@ void *__mmap(void *start, size_t len, int prot, int flags, int fd, off_t off)
> >                 __vm_wait();
> >         }
> >  #ifdef SYS_mmap2
> > -       ret = __syscall(SYS_mmap2, start, len, prot, flags, fd, off/UNIT);
> > +       ret = __syscall(SYS_mmap2, start, len, prot, flags, fd, (unsigned long)off/UNIT);
> >  #else
> >         ret = __syscall(SYS_mmap, start, len, prot, flags, fd, off);
> >  #endif
> > -- 
> > 2.17.1
> 
> This patch is wrong and truncates offsets over 32-bit (drops all the
> high bits). There is a bug here, but it's just that UNIT has the wrong
> type. commit b5bbe797493ea732d4cac15619753c545ed392af introduced the
> regression by making UNIT have type unsigned long long. It should have
> a small signed type; just int is fine.

Following up on this again: there isn't actually a bug here. All valid
offsets to mmap are non-negative off_t values, so coercion to unsigned
long long does not alter the value. If the offset is negative, it was
already caught by the mask against OFF_MASK in the first if statement.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.