Change the check for 'size' wrapping around to zero in kern_mmap to account

for both the lower and upper bound modifications. Change the error returned to ENOMEM. Rename the parameter size to len and make size a local variable that stores the value of len after it has been modified. This addresses concerns expressed by Bruce Evans after r348843. Reported by: brde@optusnet.com.au Reviewed by: kib, markj (mentors) MFC after: 3 days Relnotes: yes Differential Revision: https://reviews.freebsd.org/D20592
2019-06-10 21:26:14 +00:00 · 2019-06-10 21:26:14 +00:00 · 77555b849d
commit 77555b849d
parent 0422393286
2 changed files with 10 additions and 10 deletions
--- a/sys/sys/syscallsubr.h
+++ b/sys/sys/syscallsubr.h
@ -173,7 +173,7 @@ int	kern_mknodat(struct thread *td, int fd, const char *path,
 	    enum uio_seg pathseg, int mode, dev_t dev);
 int	kern_mlock(struct proc *proc, struct ucred *cred, uintptr_t addr,
 	    size_t len);
-int	kern_mmap(struct thread *td, uintptr_t addr, size_t size, int prot,
+int	kern_mmap(struct thread *td, uintptr_t addr, size_t len, int prot,
 	    int flags, int fd, off_t pos);
 int	kern_mprotect(struct thread *td, uintptr_t addr, size_t size, int prot);
 int	kern_msgctl(struct thread *, int, int, struct msqid_ds *);
--- a/sys/vm/vm_mmap.c
+++ b/sys/vm/vm_mmap.c
@ -179,13 +179,13 @@ sys_mmap(struct thread *td, struct mmap_args *uap)
 }

 int
-kern_mmap(struct thread *td, uintptr_t addr0, size_t size, int prot, int flags,
+kern_mmap(struct thread *td, uintptr_t addr0, size_t len, int prot, int flags,
    int fd, off_t pos)
 {
 	struct vmspace *vms;
 	struct file *fp;
 	vm_offset_t addr;
-	vm_size_t pageoff;
+	vm_size_t pageoff, size;
 	vm_prot_t cap_maxprot;
 	int align, error;
 	cap_rights_t rights;
@ -210,7 +210,7 @@ kern_mmap(struct thread *td, uintptr_t addr0, size_t size, int prot, int flags,
 	 * pos.
 	 */
 	if (!SV_CURPROC_FLAG(SV_AOUT)) {
-		if ((size == 0 && curproc->p_osrel >= P_OSREL_MAP_ANON) ||
+		if ((len == 0 && curproc->p_osrel >= P_OSREL_MAP_ANON) ||
 		    ((flags & MAP_ANON) != 0 && (fd != -1 || pos != 0)))
 			return (EINVAL);
 	} else {
@ -255,12 +255,12 @@ kern_mmap(struct thread *td, uintptr_t addr0, size_t size, int prot, int flags,
 	pageoff = (pos & PAGE_MASK);
 	pos -= pageoff;

-	/* Adjust size for rounding (on both ends). */
-	size += pageoff;			/* low end... */
-	/* Check for rounding up to zero. */
-	if (round_page(size) < size)
-		return (EINVAL);
+	/* Compute size from len by rounding (on both ends). */
+	size = len + pageoff;			/* low end... */
 	size = round_page(size);		/* hi end */
+	/* Check for rounding up to zero. */
+	if (len < size)
+		return (ENOMEM);

 	/* Ensure alignment is at least a page and fits in a pointer. */
 	align = flags & MAP_ALIGNMENT_MASK;
@ -317,7 +317,7 @@ kern_mmap(struct thread *td, uintptr_t addr0, size_t size, int prot, int flags,
 			addr = round_page((vm_offset_t)vms->vm_daddr +
 			    lim_max(td, RLIMIT_DATA));
 	}
-	if (size == 0) {
+	if (len == 0) {
 		/*
 		 * Return success without mapping anything for old
 		 * binaries that request a page-aligned mapping of