Currently it is possible to extend the vma for a shm segment
with mremap. The shm code has no checks for access beyond the
end of the shm segment. Resulting in writes to shp->shm_dir in 2.3
and shp->shm_pages in 2.2 past the allocated end of the array.
By playing with this processes can create weird memory overwrites,
and effectively mlocked private pages.
As using mremap to extend a shm mapping is basically silly,
and linux specific. I don't think it affects anything in practice.
The attached patch caused SIGBUS to be delivered when
we write past the end of our shm area.
Eric
===File linux-2.3.41.eb1.diff==============
diff -uNrX linux-ignore-files linux-2.3.41/ipc/shm.c linux-2.3.41.eb1/ipc/shm.c
--- linux-2.3.41/ipc/shm.c Mon Jan 24 13:04:37 2000
+++ linux-2.3.41.eb1/ipc/shm.c Sat Jan 29 18:57:58 2000
@@ -840,6 +840,15 @@
idx = (address - shmd->vm_start) >> PAGE_SHIFT;
idx += shmd->vm_pgoff;
+ /*
+ * A shared mapping past the last page of the file is an error
+ * and results in a SIGBUS, so logically a shared mapping past
+ * the end of a shared memory segment should result in SIGBUS
+ * as well.
+ */
+ if (idx >= shp->shm_npages) {
+ return NULL;
+ }
down(&shp->sem);
if(shp != shm_lock(shp->id))
BUG();
============================================================
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Jan 31 2000 - 21:00:25 EST