Subject: Re: new mremap(2): relax alignment restrictions?
To: Darren Reed <darrenr@netbsd.org>
From: Eric Haszlakiewicz <erh@nimenees.com>
List: tech-kern
Date: 07/25/2007 14:39:42
On Wed, Jul 25, 2007 at 08:06:01AM +0200, Darren Reed wrote:
> Eric Haszlakiewicz wrote:
> ...
> > I suppose there's a bit of a performance hit with zeroing out the page
> > every time, but it seems like a necessary thing to do. A couple other
> > OSes I've tried it on do so.
>
> There are security implications if we're not doing so.
>
> Do you have a program that can demonstrate being able to access
> "random garbage" in this manner?
yep. See the end of this email for the source.
echo "12345123451234" > test
gcc aa.c
./a.out
First time I run this I get:
----
3 0
bbae2000 0
12345123451234
----
Second time I get:
----
3 0
bbae2000 0
12345123451234
RR
----
aa.c:
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
int main()
{
int d = open("test", O_RDWR, 0600);
printf ("%d %d\n", d, errno);
if (d < 0)
return 1;
char *p = mmap(NULL, 15, PROT_READ|PROT_WRITE, MAP_FILE|MAP_SHARED, d, 0);
printf("%x %d\n", p, errno);
if (p == MAP_FAILED)
return 1;
printf("%s\n", p);
p[15]='R';
p[16]='R';
munmap(p, 15);
close(d);
}