Bug 2728
Summary: | Memory Management : msync system call is able to synchronize unmapped memory without error(it should return unmapped memory error) | ||
---|---|---|---|
Product: | Memory Management | Reporter: | rajeev (rajeevti) |
Component: | Other | Assignee: | Dave Hansen (dave) |
Status: | REJECTED INVALID | ||
Severity: | normal | CC: | rajeevti, sglass |
Priority: | P2 | ||
Hardware: | i386 | ||
OS: | Linux | ||
Kernel Version: | 2.6.6 | Subsystem: | |
Regression: | --- | Bisected commit-id: | |
Attachments: | silly (len > vma->vm_end - start) check |
Description
rajeev
2004-05-19 03:57:09 UTC
Created attachment 2926 [details]
silly (len > vma->vm_end - start) check
the 2.6.6 code says the following- /* * If the interval [start,end) covers some unmapped address ranges, * just ignore them, but return -ENOMEM at the end. */ For a process there can be more than one vma structure in the linked list (eg a couple of mmap's , a few mallocs each will create a seperate vma structure and append it to the linked list). If the length covers more than one vma structure... then in that case msync needs to traverse all the vma structures in that range. your patch will not synch vma structures in the length range (your check is only for the first vma structure). check the for loop which traverses all the vma structures in the length range. After traversing all the vma structures the function should return a error code ! Here's another one where the test case expects failure when writing out of bounds from an existing area, but it doesn't make sure that the area it expects to fail doesn't contain something else. Here's /proc/<pid>/maps just before the msync() call. There's a valid VMA right after the "test.txt" area, so the call corectly succeeds. 08048000-08049000 r-xp 00000000 08:02 895877 /root/bugs/2728/sum_test 08049000-0804a000 rwxp 00000000 08:02 895877 /root/bugs/2728/sum_test b7ea4000-b7ea5000 rwxp b7ea4000 00:00 0 b7ea5000-b7fd5000 r-xp 00000000 08:02 410361 /lib/tls/libc-2.3.2.so b7fd5000-b7fde000 rwxp 0012f000 08:02 410361 /lib/tls/libc-2.3.2.so b7fde000-b7fe0000 rwxp b7fde000 00:00 0 b7fe7000-b7fe8000 rwxs 00000000 08:02 895879 /root/bugs/2728/test.txt b7fe8000-b7fea000 rwxp b7fe8000 00:00 0 b7fea000-b8000000 r-xp 00000000 08:02 814607 /lib/ld-2.3.2.so b8000000-b8001000 rwxp 00015000 08:02 814607 /lib/ld-2.3.2.so bffeb000-c0000000 rwxp bffeb000 00:00 0 ffffe000-fffff000 ---p 00000000 00:00 0 |