linux-user/mmap.c: check range of mremap result in target address space

If mremap succeeds, an additional check is performed to ensure that the new address range fits into the target address space. This check was previously perfomed in host address space, with the upper bound fixed to abi_ulong. This patch replaces the static check with a call to `guest_range_valid`, performing the range check against the actual size of the target address space. It also moves the corresponding block to prevent it from being called incorrectly when the mapping itself fails. Signed-off-by: Tobias Koch <[email protected]> Message-Id: <[email protected]> Signed-off-by: Laurent Vivier <[email protected]>
balena-io · Feb 4, 2021 · ce9ed86 · ce9ed86
1 parent b911004
commit ce9ed86
Showing 1 changed file with 12 additions and 9 deletions.
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
@@ -767,20 +767,23 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size,
         }
         if (prot == 0) {
             host_addr = mremap(g2h(old_addr), old_size, new_size, flags);
-            if (host_addr != MAP_FAILED && reserved_va && old_size > new_size) {
-                mmap_reserve(old_addr + old_size, old_size - new_size);
+
+            if (host_addr != MAP_FAILED) {
+                /* Check if address fits target address space */
+                if (!guest_range_valid(h2g(host_addr), new_size)) {
+                    /* Revert mremap() changes */
+                    host_addr = mremap(g2h(old_addr), new_size, old_size,
+                                       flags);
+                    errno = ENOMEM;
+                    host_addr = MAP_FAILED;
+                } else if (reserved_va && old_size > new_size) {
+                    mmap_reserve(old_addr + old_size, old_size - new_size);
+                }
             }
         } else {
             errno = ENOMEM;
             host_addr = MAP_FAILED;
         }
-        /* Check if address fits target address space */
-        if ((unsigned long)host_addr + new_size > (abi_ulong)-1) {
-            /* Revert mremap() changes */
-            host_addr = mremap(g2h(old_addr), new_size, old_size, flags);
-            errno = ENOMEM;
-            host_addr = MAP_FAILED;
-        }
     }
 
     if (host_addr == MAP_FAILED) {