linux-user: Don't use MAP_FIXED in do_brk()

Since mmap() with MAP_FIXED will map over the top of existing mappings, it's a bad idea to use it to implement brk(), because brk() with a large size is likely to overwrite important things like qemu itself or the host libc. So we drop MAP_FIXED and handle "mapped but at different address" as an error case instead. Signed-off-by: Peter Maydell <[email protected]> Signed-off-by: Riku Voipio <[email protected]>
quic · Jun 21, 2011 · 00faf08 · 00faf08
1 parent f3ed1f5
commit 00faf08
Showing 1 changed file with 20 additions and 9 deletions.
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
@@ -735,23 +735,34 @@ abi_long do_brk(abi_ulong new_brk)
     	return target_brk;
     }
 
-    /* We need to allocate more memory after the brk... */
+    /* We need to allocate more memory after the brk... Note that
+     * we don't use MAP_FIXED because that will map over the top of
+     * any existing mapping (like the one with the host libc or qemu
+     * itself); instead we treat "mapped but at wrong address" as
+     * a failure and unmap again.
+     */
     new_alloc_size = HOST_PAGE_ALIGN(new_brk - brk_page + 1);
     mapped_addr = get_errno(target_mmap(brk_page, new_alloc_size,
                                         PROT_READ|PROT_WRITE,
-                                        MAP_ANON|MAP_FIXED|MAP_PRIVATE, 0, 0));
+                                        MAP_ANON|MAP_PRIVATE, 0, 0));
+
+    if (mapped_addr == brk_page) {
+        target_brk = new_brk;
+        return target_brk;
+    } else if (mapped_addr != -1) {
+        /* Mapped but at wrong address, meaning there wasn't actually
+         * enough space for this brk.
+         */
+        target_munmap(mapped_addr, new_alloc_size);
+        mapped_addr = -1;
+    }
 
 #if defined(TARGET_ALPHA)
     /* We (partially) emulate OSF/1 on Alpha, which requires we
        return a proper errno, not an unchanged brk value.  */
-    if (is_error(mapped_addr)) {
-        return -TARGET_ENOMEM;
-    }
+    return -TARGET_ENOMEM;
 #endif
-
-    if (!is_error(mapped_addr)) {
-	target_brk = new_brk;
-    }
+    /* For everything else, return the previous break. */
     return target_brk;
 }