On Wed 10-10-18 17:27:36, Jann Horn wrote:
> Daniel Micay reports that attempting to use MAP_FIXED_NOREPLACE in an
> application causes that application to randomly crash. The existing check
> for handling MAP_FIXED_NOREPLACE looks up the first VMA that either
> overlaps or follows the requested region, and then bails out if that VMA
> overlaps *the start* of the requested region. It does not bail out if the
> VMA only overlaps another part of the requested region.
I do not understand. Could you give me an example?
[...]
> diff --git a/mm/mmap.c b/mm/mmap.c
> index 5f2b2b184c60..f7cd9cb966c0 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -1410,7 +1410,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
> if (flags & MAP_FIXED_NOREPLACE) {
> struct vm_area_struct *vma = find_vma(mm, addr);
>
> - if (vma && vma->vm_start <= addr)
> + if (vma && vma->vm_start < addr + len)
find_vma is documented to - Look up the first VMA which satisfies addr <
vm_end, NULL if none.
This means that the above check guanratees that
vm_start <= addr < vm_end
so an overlap is guanrateed. Why should we care how much we overlap?
--
Michal Hocko
SUSE Labs
