Mailing List Archive

From:: Martin Pieuchot <mpi@grenadille.net>
Subject:: Re: vmcmd_map_readvn mprotect fix
To:: David Higgs <higgsd@gmail.com>
Cc:: OpenBSD Tech <tech@openbsd.org>
Date:: Mon, 10 Mar 2025 20:24:49 +0100

Download raw body.

Thread

2025-02-20 02:18 David Higgs:
vmcmd_map_readvn mprotect fix
- 2025-03-10 19:24 Martin Pieuchot:
  vmcmd_map_readvn mprotect fix
- - 2025-03-10 21:54 David Higgs:
    vmcmd_map_readvn mprotect fix

On 19/02/25(Wed) 21:18, David Higgs wrote:
> The uvm_map_protect takes start and end vaddr_t values, rather than a
> start and length.  It seems this code path is rarely/never taken, as
> it would immediately fail with EINVAL.

Indeed, thanks for the diff.  Out of curiosity how did you find this?
 
> Again, apologies for the mangled diff.
> 
> --david
> 
> diff --git a/sys/kern/exec_subr.c b/sys/kern/exec_subr.c
> index 9f4aea64a8f..e9c28d6c66c 100644
> --- a/sys/kern/exec_subr.c
> +++ b/sys/kern/exec_subr.c
> @@ -260,7 +260,7 @@ vmcmd_map_readvn(struct proc *p, struct exec_vmcmd *cmd)
>                  * uvm_map_protect() to fix up the protection.  ICK.
>                  */
>                 error = (uvm_map_protect(&p->p_vmspace->vm_map,
> -                   cmd->ev_addr, round_page(cmd->ev_len),
> +                   cmd->ev_addr, round_page(cmd->ev_addr + cmd->ev_len),
>                     prot, 0, FALSE, TRUE));
>         }
>         if (error == 0) {
>

2025-02-20 02:18 David Higgs:
vmcmd_map_readvn mprotect fix
- 2025-03-10 19:24 Martin Pieuchot:
  vmcmd_map_readvn mprotect fix
- - 2025-03-10 21:54 David Higgs:
    vmcmd_map_readvn mprotect fix