Subject: kern/16464: mmap doesn't check size variable sufficiently
To: None <>
From: Wolfgang Rupprecht <>
List: netbsd-bugs
Date: 04/23/2002 12:51:12
>Number:         16464
>Category:       kern
>Synopsis:       mmap doesn't check size variable sufficiently
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 23 12:52:00 PDT 2002
>Originator:     Wolfgang Rupprecht
>Release:        NetBSD 1.5ZC
W S Rupprecht Computer Consulting, Fremont CA
System: NetBSD 1.5ZC NetBSD 1.5ZC (WSRCC_ATHLON) #75: Sun Apr 14 08:04:22 PDT 2002 i386
Architecture: i386
Machine: i386
	mmap doesn't check the size variable sufficiently and one 
	is allowed to map 0xfffffff0 bytes.  The returned area would
	wrap around memory it is so large.

	marked non-critical and low because it only effects test
	programs that attempt to figure out how much mmap-ed memory
	they have to play with.


/* cc -O2 -g -Wall -Wmissing-prototypes -Wmissing-declarations -Wuninitialized   -o bugtest bugtest.c */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <fcntl.h>

    int             fd;
    void           *ptr;

    fd = open("/dev/wd0d", O_RDONLY);	/* i386 */
    ptr = mmap(NULL,		/* requested addr in our mem space */
	       0xfffffff0,	/* size of mapped area */
	       PROT_READ,	/* prot */
	       MAP_FILE,	/* flags */
	       fd,		/* fd */
	       0);		/* offset in fd */
    if (ptr != MAP_FAILED) {
	printf("Succeded in mapping a region that wrapped around memory!\n");
	check that the kernel doesn't round the size request up and
	only then applies the size sanity tests.