>Number:         16464
>Category:       kern
>Synopsis:       mmap doesn't check size variable sufficiently
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 23 12:52:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Wolfgang Rupprecht
>Release:        NetBSD 1.5ZC
>Organization:
W S Rupprecht Computer Consulting, Fremont CA
>Environment:
	
	
System: NetBSD capsicum.wsrcc.com 1.5ZC NetBSD 1.5ZC (WSRCC_ATHLON) #75: Sun Apr 14 08:04:22 PDT 2002 wolfgang@capsicum.wsrcc.com:/v/src/netbsd/src/sys/arch/i386/compile/WSRCC_ATHLON i386
Architecture: i386
Machine: i386
>Description:
	mmap doesn't check the size variable sufficiently and one 
	is allowed to map 0xfffffff0 bytes.  The returned area would
	wrap around memory it is so large.

	marked non-critical and low because it only effects test
	programs that attempt to figure out how much mmap-ed memory
	they have to play with.

>How-To-Repeat:

/* cc -O2 -g -Wall -Wmissing-prototypes -Wmissing-declarations -Wuninitialized   -o bugtest bugtest.c */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <fcntl.h>


int
main()
{
    int             fd;
    void           *ptr;

    fd = open("/dev/wd0d", O_RDONLY);	/* i386 */
    ptr = mmap(NULL,		/* requested addr in our mem space */
	       0xfffffff0,	/* size of mapped area */
	       PROT_READ,	/* prot */
	       MAP_FILE,	/* flags */
	       fd,		/* fd */
	       0);		/* offset in fd */
    if (ptr != MAP_FAILED) {
	printf("Succeded in mapping a region that wrapped around memory!\n");
	exit(1);
    }
    exit(0);
}
	
>Fix:
	check that the kernel doesn't round the size request up and
	only then applies the size sanity tests.
	
>Release-Note:
>Audit-Trail:
>Unformatted: