From c62637d679d326764563f3fe3b8803fa35610c54 Mon Sep 17 00:00:00 2001 From: Konstantin Belousov Date: Fri, 28 Sep 2018 14:11:38 +0000 Subject: [PATCH] Correct vm_fault_copy_entry() handling of backing file truncation after the file mapping was wired. if a wired map entry is backed by vnode and the file is truncated, corresponding pages are invalidated. vm_fault_copy_entry() should be aware of it and allow for invalid pages past end of file. Also, such pages should be not mapped into userspace. If userspace accesses the truncated part of the mapping later, it gets a signal, there is no way kernel can prevent the page fault. Reported by: andrew using syzkaller Reviewed by: alc Sponsored by: The FreeBSD Foundation Approved by: re (gjb) MFC after: 1 week Differential revision: https://reviews.freebsd.org/D17323 --- sys/vm/vm_fault.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c index d6545ba5f479..c56e51f3dbfe 100644 --- a/sys/vm/vm_fault.c +++ b/sys/vm/vm_fault.c @@ -1739,6 +1739,13 @@ vm_fault_copy_entry(vm_map_t dst_map, vm_map_t src_map, dst_m = src_m; if (vm_page_sleep_if_busy(dst_m, "fltupg")) goto again; + if (dst_m->pindex >= dst_object->size) + /* + * We are upgrading. Index can occur + * out of bounds if the object type is + * vnode and the file was truncated. + */ + break; vm_page_xbusy(dst_m); KASSERT(dst_m->valid == VM_PAGE_BITS_ALL, ("invalid dst page %p", dst_m));