From nobody@FreeBSD.org  Wed Jul  7 11:24:46 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 10F6316A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  7 Jul 2004 11:24:46 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E600B43D46
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  7 Jul 2004 11:24:45 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i67BOjDG013075
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 7 Jul 2004 11:24:45 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i67BOjAn013074;
	Wed, 7 Jul 2004 11:24:45 GMT
	(envelope-from nobody)
Message-Id: <200407071124.i67BOjAn013074@www.freebsd.org>
Date: Wed, 7 Jul 2004 11:24:45 GMT
From: KOIE Hidetaka <koie@suri.co.jp>
To: freebsd-gnats-submit@FreeBSD.org
Subject: a little data can be stored beyond EOF.
X-Send-Pr-Version: www-2.3

>Number:         68765
>Category:       kern
>Synopsis:       [mmap] a little data can be stored beyond EOF.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 07 11:30:23 GMT 2004
>Closed-Date:    Sun Jun 29 17:01:59 UTC 2008
>Last-Modified:  Sun Jun 29 17:01:59 UTC 2008
>Originator:     KOIE Hidetaka
>Release:        FreeBSD-5.2 CURRENT
>Organization:
SURIGIKEN
>Environment:
FreeBSD sakura.suri.co.jp 5.2-CURRENT FreeBSD 5.2-CURRENT #1: Tue Jun 15 11:43:02 JST 2004     koie@sakura.suri.co.jp:/usr/obj/usr/src/sys/SAKURA  i38
>Description:
      A little data (~pagesize-1) can be stored beyond EOF using mmap.
I have an uneasy feeling someone abuse it.

>How-To-Repeat:
begin 644 hole.c
M(VEN8VQU9&4@/&%S<V5R="YH/@HC:6YC;'5D92`\<W1D:6\N:#X*(VEN8VQU
M9&4@/'-T9&QI8BYH/@HC:6YC;'5D92`\<W1R:6YG+F@^"B-I;F-L=61E(#QF
M8VYT;"YH/@HC:6YC;'5D92`\<WES+W1Y<&5S+F@^"B-I;F-L=61E(#QS>7,O
M;6UA;BYH/@HC:6YC;'5D92`\=6YI<W1D+F@^"@II;G0@4$%'15-)6D4["@HC
M9&5F:6YE($9)3$4@(F5M<'1Y+F1A="(*(V1E9FEN92!314-2151?3T9&(#$P
M,#`*:6YT(&]R9&EN87)Y7W-I>F4["@II;G0*=R@I"GL*("`@(&EN="!R8R`]
M("TQ.PH@("`@:6YT(&9D.PH*("`@("\O('=R:71E(&$@;W)D:6YA<GD@9&%T
M82!N;VUA;&QY"B`@("!I9B`H*&9D(#T@;W!E;BA&24Q%+"!/7U)$5U)\3U]#
M4D5!5'Q/7U1254Y#+"`P-C`P*2D@/"`P*2!["@EP97)R;W(H(F]P96XB*3L*
M"6=O=&\@;W5T.PH@("`@?0H@("`@8VAA<B!B=69;72`](")415-4(CL*("`@
M(&EF("AW<FET92AF9"P@8G5F+"!S:7IE;V8@8G5F*2`A/2!S:7IE;V8@8G5F
M*2!["@EP97)R;W(H(G=R:71E(BD["@EG;W1O(&]U=#L*("`@('T*("`@(&]R
M9&EN87)Y7W-I>F4@/2!L<V5E:RAF9"P@,"P@4T5%2U]#55(I.PH*("`@("\O
M('!U="!A(&AI9&1E;B!D871A(&)E>6]N9"!%3T8*("`@(&-H87(@*F%D9'(@
M/2!M;6%P*#`L(%!!1T5325I%+"!04D]47U)%041\4%)/5%]74DE412P@34%0
M7U-(05)%1"P@9F0L(#`I.PH@("`@:68@*&%D9'(@/3T@34%07T9!24Q%1"D@
M>PH)<&5R<F]R*")M;6%P(BD["@EG;W1O(&]U=#L*("`@('T*("`@(&%S<V5R
M="`H;W)D:6YA<GE?<VEZ92`\(%-%0U)%5%]/1D8I.PH@("`@<W1R8W!Y*&%D
M9'(K4T5#4D547T]&1BP@(E-%0U)%5"(I.PH*("`@("\O(&9I;F%L:7IE"B`@
M("!I9B`H8VQO<V4H9F0I(#P@,"D@>PH)<&5R<F]R*")C;&]S92(I.PH)9V]T
M;R!O=70["B`@("!]"B`@("!I9B`H;75N;6%P*&%D9'(L(%!!1T5325I%*2`\
M(#`I('L*"7!E<G)O<B@B;75N;6%P(BD["@EG;W1O(&]U=#L*("`@('T*("`@
M(')C(#T@,#L*(&]U=#H*("`@(')E='5R;B!R8SL*?0H*:6YT"G(H*0I["B`@
M("!I;G0@<F,@/2`M,3L*("`@(&EN="!F9#L*("`@(&EN="!N.PH@("`@8VAA
M<B!B=69;4$%'15-)6D5=.PH@("`@8VAA<B`J861D<CL*"B`@("`O+R!U<VEN
M9R!R96%D(&YO<FUA;&QY+"!G970@82!O<F1I;F%R>2!D871A+@H@("`@:68@
M*"AF9"`](&]P96XH1DE,12P@3U]21$].3%DI*2`\(#`I('L*"7!E<G)O<B@B
M;W!E;B(I.PH)9V]T;R!O=70["B`@("!]"B`@("!I9B`H*&X@/2!R96%D*&9D
M+"!B=68L('-I>F5O9B!B=68I*2`\(#`I('L*"7!E<G)O<B@B<F5A9"(I.PH)
M9V]T;R!O=70["B`@("!]"B`@("!P<FEN=&8H(G)E860@;CTE9"!B=68]/"5S
M/EQN(BP@;BP@8G5F*3L*"B`@("`O+R!U<VEN9R!M;6%P+"!E>'1R86-T(&$@
M:&ED9&5N(&1A=&$N"B`@("!A9&1R(#T@;6UA<"@P+"!004=%4TE:12P@4%)/
M5%]214%$+"!-05!?4%))5D%412P@9F0L(#`I.PH@("`@:68@*&%D9'(@/3T@
M34%07T9!24Q%1"D@>PH)<&5R<F]R*")M;6%P(BD["@EG;W1O(&]U=#L*("`@
M('T*("`@('!R:6YT9B@B4T5#4D547T]&1CT\)7,^7&XB+"!A9&1R*U-%0U)%
M5%]/1D8I.PH*("`@("\O(&9I;F%L:7IE"B`@("!I9B`H8VQO<V4H9F0I(#P@
M,"D@>PH)<&5R<F]R*")C;&]S92(I.PH)9V]T;R!O=70["B`@("!]"B`@("!I
M9B`H;75N;6%P*&%D9'(L(%!!1T5325I%*2`\(#`I('L*"7!E<G)O<B@B;75N
M;6%P(BD["@EG;W1O(&]U=#L*("`@('T*("`@(')C(#T@,#L*(&]U=#H*("`@
M(')E='5R;B!R8SL*?0H*:6YT"FUA:6XH*0I["B`@("!004=%4TE:12`]('-Y
M<V-O;F8H7U-#7U!!1T5325I%*3L*("`@(&EF("AW*"D@/"`P*0H)9V]T;R!O
M=70["B`@("!I9B`H<B@I(#P@,"D*"6=O=&\@;W5T.PHC:68@,0H@("`@+RH@
M97)A<V4@*B\*("`@('1R=6YC871E*$9)3$4L(&]R9&EN87)Y7W-I>F4K,2D[
M"B`@("!T<G5N8V%T92A&24Q%+"!O<F1I;F%R>5]S:7IE*3L*(V5N9&EF"B`@
M("!I9B`H<B@I(#P@,"D*"6=O=&\@;W5T.PH@;W5T.@H@("`@97AI="@P*3L*
"?0H`
`
end

>Fix:
      Sorry, I dont now.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: kmacy 
State-Changed-When: Sun Nov 18 08:19:22 UTC 2007 
State-Changed-Why:  

Does this still occur? If so please mail your test case inline. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=68765 

From: KOIE Hidetaka <koie@suri.co.jp>
To: bug-followup@FreeBSD.org
Cc: kmacy@FreeBSD.org
Subject: Re: kern/68765: [mmap] a little data can be stored beyond EOF.
Date: Wed, 30 Jan 2008 10:28:43 +0900 (JST)

   Message-Id: <200711180820.lAI8KAB0057218@freefall.freebsd.org>
   Date:       Sun, 18 Nov 2007 08:20:10 GMT
   From:       kmacy@FreeBSD.org
   Subject:    Re: kern/68765: [mmap] a little data can be stored beyon..
 
   | Synopsis: [mmap] a little data can be stored beyond EOF.
   | 
   | State-Changed-From-To: open->feedback
   | State-Changed-By: kmacy
   | State-Changed-When: Sun Nov 18 08:19:22 UTC 2007
   | State-Changed-Why: 
   | 
   | Does this still occur? If so please mail your test case inline.
   | 
   | http://www.freebsd.org/cgi/query-pr.cgi?pr=68765
   | 
 
 Yes.
 
 koie@guriandgura% uname -a
 FreeBSD guriandgura 8.0-CURRENT FreeBSD 8.0-CURRENT #2: Fri Nov 16 14:33:17 JST 2007     koie@guriandgura:/usr/obj/usr/src/sys/GURIANDGURA  amd64
 koie@guriandgura% cd /tmp
 koie@guriandgura% df /tmp
 Filesystem 1024-blocks Used      Avail Capacity  Mounted on
 tank/tmp    1305033600  128 1305033472     0%    /tmp    <==== /tmp is ZFS now.
 koie@guriandgura% cat -n hole.c
      1	#include <assert.h>
      2	#include <stdio.h>
      3	#include <stdlib.h>
      4	#include <string.h>
      5	#include <fcntl.h>
      6	#include <sys/types.h>
      7	#include <sys/mman.h>
      8	#include <unistd.h>
      9	
     10	int PAGESIZE;
     11	
     12	#define FILE "empty.dat"
     13	#define SECRET_OFF 1000
     14	int ordinary_size;
     15	
     16	int
     17	w()
     18	{
     19	    int rc = -1;
     20	    int fd;
     21	
     22	    // write a ordinary data nomally
     23	    if ((fd = open(FILE, O_RDWR|O_CREAT|O_TRUNC, 0600)) < 0) {
     24		perror("open");
     25		goto out;
     26	    }
     27	    char buf[] = "TEST";
     28	    if (write(fd, buf, sizeof buf) != sizeof buf) {
     29		perror("write");
     30		goto out;
     31	    }
     32	    ordinary_size = lseek(fd, 0, SEEK_CUR);
     33	
     34	    // put a hidden data beyond EOF
     35	    char *addr = mmap(0, PAGESIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
     36	    if (addr == MAP_FAILED) {
     37		perror("mmap");
     38		goto out;
     39	    }
     40	    assert (ordinary_size < SECRET_OFF);
     41	    strcpy(addr+SECRET_OFF, "SECRET");
     42	
     43	    // finalize
     44	    if (close(fd) < 0) {
     45		perror("close");
     46		goto out;
     47	    }
     48	    if (munmap(addr, PAGESIZE) < 0) {
     49		perror("munmap");
     50		goto out;
     51	    }
     52	    rc = 0;
     53	 out:
     54	    return rc;
     55	}
     56	
     57	int
     58	r()
     59	{
     60	    int rc = -1;
     61	    int fd;
     62	    int n;
     63	    char buf[PAGESIZE];
     64	    char *addr;
     65	
     66	    // using read normally, get a ordinary data.
     67	    if ((fd = open(FILE, O_RDONLY)) < 0) {
     68		perror("open");
     69		goto out;
     70	    }
     71	    if ((n = read(fd, buf, sizeof buf)) < 0) {
     72		perror("read");
     73		goto out;
     74	    }
     75	    printf("read n=%d buf=<%s>\n", n, buf);
     76	
     77	    // using mmap, extract a hidden data.
     78	    addr = mmap(0, PAGESIZE, PROT_READ, MAP_PRIVATE, fd, 0);
     79	    if (addr == MAP_FAILED) {
     80		perror("mmap");
     81		goto out;
     82	    }
     83	    printf("SECRET_OFF=<%s>\n", addr+SECRET_OFF);
     84	
     85	    // finalize
     86	    if (close(fd) < 0) {
     87		perror("close");
     88		goto out;
     89	    }
     90	    if (munmap(addr, PAGESIZE) < 0) {
     91		perror("munmap");
     92		goto out;
     93	    }
     94	    rc = 0;
     95	 out:
     96	    return rc;
     97	}
     98	
     99	int
    100	main()
    101	{
    102	    PAGESIZE = sysconf(_SC_PAGESIZE);
    103	    if (w() < 0)
    104		goto out;
    105	    if (r() < 0)
    106		goto out;
    107	#if 1
    108	    /* erase */
    109	    truncate(FILE, ordinary_size+1);
    110	    truncate(FILE, ordinary_size);
    111	#endif
    112	    if (r() < 0)
    113		goto out;
    114	 out:
    115	    exit(0);
    116	}
 koie@guriandgura% cc -o hole hole.c
 koie@guriandgura% ./hole
 read n=5 buf=<TEST>
 SECRET_OFF=<SECRET>                 <=== "SECRET" is put beyond EOF.
 read n=5 buf=<TEST>
 SECRET_OFF=<>                       <=== "SECRET" is zero-filled by truncate().
 koie@guriandgura% cd /tmp.ufs
 koie@guriandgura% df /tmp.ufs       <=== test on UFS2.
 Filesystem  1024-blocks   Used  Avail Capacity  Mounted on
 /dev/ad4s2e      507630 320244 146776    69%    /tmp.ufs
 koie@guriandgura% /tmp/hole
 read n=5 buf=<TEST>
 SECRET_OFF=<SECRET>
 read n=5 buf=<TEST>
 SECRET_OFF=<>
 koie@guriandgura% 
 
 --
 KOIE Hidetaka / koie@suri.co.jp / SURIGIKEN Co.,LTD.
State-Changed-From-To: feedback->open 
State-Changed-By: linimon 
State-Changed-When: Wed Jan 30 03:25:54 UTC 2008 
State-Changed-Why:  
Feedback received; problem still exists (with test-case code). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=68765 
State-Changed-From-To: open->closed 
State-Changed-By: das 
State-Changed-When: Sun Jun 29 16:59:31 UTC 2008 
State-Changed-Why:  
This is not a bug; it is documented behavior, and other systems behave 
the same way. From the first paragraph of mmap(3): 

If len is not a multiple of the page- 
size, the mapped region may extend past the specified range.  Any such 
extension beyond the end of the mapped object will be zero-filled. 

The reason for this behavior is that on most architectures it isn't possible 
to define a virtual memory protection boundary smaller than a page. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=68765 
>Unformatted:
