aboutsummaryrefslogtreecommitdiff
path: root/linux-user/mmap.c
diff options
context:
space:
mode:
authorAlex Bennée <alex.bennee@linaro.org>2020-06-05 16:49:29 +0100
committerAlex Bennée <alex.bennee@linaro.org>2020-06-08 17:04:19 +0100
commit8ef618859c379fdce81c91bc93e0574e36ea76ff (patch)
tree26aa711b59a46fdec88fbfd6eaa08ef34377d847 /linux-user/mmap.c
parentb6771210b5bba543628b8eeacfea9f994372f880 (diff)
downloadqemu-8ef618859c379fdce81c91bc93e0574e36ea76ff.zip
qemu-8ef618859c379fdce81c91bc93e0574e36ea76ff.tar.gz
qemu-8ef618859c379fdce81c91bc93e0574e36ea76ff.tar.bz2
linux-user: detect overflow of MAP_FIXED mmap
Relaxing the restrictions on 64 bit guests leads to the user being able to attempt to map right at the edge of addressable memory. This in turn lead to address overflow tripping the assert in page_set_flags when the end address wrapped around. Detect the wrap earlier and correctly -ENOMEM the guest (in the reported case LTP mmap15). Fixes: 7d8cbbabcb Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reported-by: Laurent Vivier <laurent@vivier.eu> Message-Id: <20200605154929.26910-15-alex.bennee@linaro.org>
Diffstat (limited to 'linux-user/mmap.c')
-rw-r--r--linux-user/mmap.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index caab629..0019447 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -467,7 +467,7 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
* It can fail only on 64-bit host with 32-bit target.
* On any other target/host host mmap() handles this error correctly.
*/
- if (!guest_range_valid(start, len)) {
+ if (end < start || !guest_range_valid(start, len)) {
errno = ENOMEM;
goto fail;
}