qemu-user: mmap should return failure (MAP_FAILED, -1) instead of success (NULL, 0) when len==0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned | ||
qemu (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
As shown in https:/
Steps to reproduce the bug:
- (cross-)compile the attached source file:
$ aarch64-
- Execute in a x86_64 host with qemu-user and qemu-user-binfmt:
$ ./mmap_qemu
alloc: 0
MAP_FAILED: -1
errno: 0
mmap_qemu: test/mmap_
qemu: uncaught target signal 6 (Aborted) - core dumped
Aborted (core dumped)
- Execute in a ARM host without any additional dependecy:
$ ./mmap_qemu
alloc: -1
MAP_FAILED: -1
errno: 22
The bug is present in Fedora:
$ qemu-aarch64 --version
qemu-aarch64 version 2.11.2(
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers
$ uname -r
4.17.7-
And also in Ubuntu:
$ qemu-aarch64 --version
qemu-aarch64 version 2.12.0 (Debian 1:2.12+
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers
$ uname -r
4.15.0-23-generic
Possibly related to:
- https:/
- https:/
summary: |
- qemu-user-aarch64: mmap returns success (NULL, 0) instead of failure - (MAP_FAILED, -1) with len==0 + qemu-user: mmap should return failure (MAP_FAILED, -1) instead of + success (NULL, 0) when len==0 |
Changed in qemu: | |
status: | New → In Progress |
Changed in qemu (Ubuntu): | |
status: | New → In Progress |
Changed in qemu: | |
status: | In Progress → Fix Committed |
Changed in qemu (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in qemu: | |
status: | Fix Committed → Fix Released |
Changed in qemu (Ubuntu): | |
status: | Fix Committed → Fix Released |
I did some research and found that this bug is present since 2003:
- 2003/05/13: https:/ /github. com/qemu/ qemu/commit/ 54936004fddc52c 321cb3f9a9a5114 0e782bed5d# diff-2bf4728e04 73404c39c97190b d02b2f8 /github. com/qemu/ qemu/blob/ 54936004fddc52c 321cb3f9a9a5114 0e782bed5d/ linux-user/ mmap.c# L182-L183 /github. com/qemu/ qemu/commit/ c8a706fe6242a55 3960ccc3071a4e7 5ceba6f3d2# diff-2bf4728e04 73404c39c97190b d02b2f8 /github. com/qemu/ qemu/blob/ c8a706fe6242a55 3960ccc3071a4e7 5ceba6f3d2/ linux-user/ mmap.c# L284-L285 /github. com/qemu/ qemu/blob/ c8a706fe6242a55 3960ccc3071a4e7 5ceba6f3d2/ linux-user/ mmap.c# L400-L410
- https:/
- 2008/06/02: https:/
- https:/
- https:/
It is present in versions 2.11.2, 2.12.0 and master:
- https:/ /github. com/qemu/ qemu/blob/ v2.11.2/ linux-user/ mmap.c# L401-L402 /github. com/qemu/ qemu/blob/ v2.12.0/ linux-user/ mmap.c# L401-L402 /github. com/qemu/ qemu/blob/ master/ linux-user/ mmap.c# L400-L401
- https:/
- https:/
I think that a possible fix is:
@@ -397,8 +397,10 @@ abi_long target_ mmap(abi_ ulong start, abi_ulong len, int prot,
}
len = TARGET_ PAGE_ALIGN( len); page_mask; page_mask;
- if (len == 0)
- goto the_end;
+ if (len == 0) {
+ errno = EINVAL;
+ goto fail;
+ }
real_start = start & qemu_host_
host_offset = offset & qemu_host_