From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no
	version=3.4.4
Received: (qmail 24628 invoked from network); 5 Sep 2020 06:44:39 -0000
Received: from mother.openwall.net (195.42.179.200)
  by inbox.vuxu.org with ESMTPUTF8; 5 Sep 2020 06:44:39 -0000
Received: (qmail 17412 invoked by uid 550); 5 Sep 2020 06:44:32 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 16370 invoked from network); 5 Sep 2020 06:44:31 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
	s=badeba3b8450; t=1599288260;
	bh=TLCLPkQRXcr6Zvqq8qgjwisrQ8SsXbMp9YV2UBqc3co=;
	h=X-UI-Sender-Class:Date:From:To:Subject:References:In-Reply-To;
	b=DXWaGHbG16a+KU8HnxmGPXqtVEkulmmPA84xqi4cAwS3dVMhairJ2nFsatSYwVVfu
	 LimCeIYpo3khxC277n8Mx+Y/24/PIM7xOVoTaJE/VFLI2PHuHfWyB1YF8wSjkWNrIz
	 j9S90zkwyvg/7PhfPaKGmj755dD/SWrjWyi8OGCE=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Date: Sat, 5 Sep 2020 08:44:19 +0200
From: Markus Wichmann <nullplan@gmx.net>
To: musl@lists.openwall.com
Message-ID: <20200905064419.GB2139@voyager>
References: <20200904195251.GA2139@voyager>
 <20200905034153.GI3265@brightrain.aerifal.cx>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="T4sUOijqQbZv57TR"
Content-Disposition: inline
In-Reply-To: <20200905034153.GI3265@brightrain.aerifal.cx>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Provags-ID: V03:K1:6EgU+H/2f+ynWmUcj0tXXbfgklxq31bShPhtEC8VKV7qhfrlnty
 vUxvCMK114midPf0pUMIkdOYc8bdinjJBo8+ZKhvTz30sEejwP3m423QzqcyDiFdFnFrW1S
 TuewHhlLp77YihRPPE9Izd74jGDJzAIRdd5XhyoohlL6VmZObjYaxYooP7QmEWzQ3PHQiW8
 /DB8kXlodmCTTxON8fAWA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:LBXkBT9P72w=:goKgtU0XA9sP2CFNPCpdNf
 zpSPLTN+dPcOGVii7HvUcb9viX7JgzQoDjFP7Sn9zC7OZepK33iTGWTz5edbuAk81IYTM9zIr
 d1Hm/UqZRbKW2jiSLS/ZuoEjHIYjVZ0Yxt7mmG2MRanP8dwoQbqfSFQn/brPul73ft+lSxnj2
 RGxkHcyEN7WEAaSv1Ddx3wGWVCF4GGZiCUklbD+4WzHw46SXoGP9nhp/m3qETB2wj7r44MCWi
 F3q1DLdRJgSKu5LUz08Fh6O9c9TxlT2O0OY02c91wuTCNd7WJvbV/wUb7s2+aYks3OtB3LvYJ
 ityVwxeahEg9VSgOuqpqJ9J6FGOByHBeIL7sfqqgDjRlk2gofgHyTLXjaetYaWDN56tvOmVdc
 wf6rwE4rKGkuNcLWbBx0tG3u2urhBgRYdZlbAC5p0BrTjkFABsN4CDKCF1+IgEEIcl5a09iMv
 pTTP2cV2SSa0JTzHgbYUdnHtuF16VXBGHH4CW01X89yxWK3Ae/qbY4GG1qItUsVMP9qvOucDu
 8Sw5R1Lu4J3wisp9MC5dfLivtbHiLpTISfY15nqe16p/cDNOReIiPxIqqlQJ5sX+WPWxCLjzV
 K9S+KVXRBXA40inLW5yMLKCmP2lNhEdS3oUj3bC6hwV5tXaIafp+/rFBuwkkUX+Kj+Fb1LmaK
 rDtxm3I3qNn2X2MvYau53XzTGsFEXteUtcYeFbnqFHRHe6boQN6sosNF1bzhJjt4+KXGQUVJx
 8bngQhcKXYcGr/k5mLeVy86hdQQblcOmMUx8OeFP4nLS/H955WeqZ9NLLsWBuD3tZRFNDxFde
 7Ie8N2UtNqZL3jdt7R+MuyhIKFvE9i1pdCsk4QAk6vhvkyvhhepcku0WGmSn0/ANcsv1zDqhC
 eYMDwPy2EY7H5isbwUg9Sywsmu4FRghRX9xteWaS7FlsQgkGikQ/CV7AiQn2JEKHyUg5DiF/c
 rH7c5Fg6mPq3MZlAUmNZwRj/uzPRECvyo/Xiecl5kCLsbEhiNAUY/S7GY7zWF1TdhD1DTw2wR
 iscGRd7jBtSa4gLzsHrCAEISjCE4/15qio+D+wo7pLwjKZTu/k/GXAa69SVcRGPcvgHz1ofiV
 oKI2BR1sMt7xw/lkMeFdIpOBHuR0a6riG3WZMxuf3nFNxSBeybF4rqJc8WgXAHEuQHKH9H9UG
 npJ7IAy0t1L1mjht88QfSu7i1RmwqtwzQzJkgTKlDPA/8TKau7xdRgeCfenO1w8KnCZr/fEQC
 9GoHVr66KptcBWQ0w
Subject: Re: [musl] Bug in mmap_fixed()


--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 04, 2020 at 11:41:54PM -0400, Rich Felker wrote:
> When I saw your report, I thought this code all ran with signals
> blocked, and actually had to check to see that this isn't the case.

In that case, making an exception for EINTR would be even weirder.

> The code hsould be fixed, and EINTR handling should probably be left
> in-place, just without the wrong pointer-advance logic.
>

See attached. Untested, obviously, since I lack a Super-H processor and
an NFS server, and even then the test case would be quite fiddly, but I
see nothing obviously wrong with it.

Ciao,
Markus

--T4sUOijqQbZv57TR
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="0001-Fix-oversight-in-mmap_fixed.patch"
Content-Transfer-Encoding: quoted-printable

=46rom 3f1ab59a5db1f5c5d943c37981179621d44619d2 Mon Sep 17 00:00:00 2001
From: Markus Wichmann <nullplan@gmx.net>
Date: Sat, 5 Sep 2020 08:35:57 +0200
Subject: [PATCH] Fix oversight in mmap_fixed().

If the read() call in this function ever did return EINTR (which there
is an explicit exception for), then the pointers would be backed off by
one, resulting in the file contents being loaded in shifted by one byte.
And if that happens in the first run through the loop, one byte in front
of the destination buffer would be overwritten, which is invalid.
=2D--
 ldso/dynlink.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index f7474743..51c4c004 100644
=2D-- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -576,7 +576,8 @@ static void *mmap_fixed(void *p, size_t n, int prot, i=
nt flags, int fd, off_t of
 	for (q=3Dp; n; q+=3Dr, off+=3Dr, n-=3Dr) {
 		r =3D read(fd, q, n);
 		if (r < 0 && errno !=3D EINTR) return MAP_FAILED;
-		if (!r) {
+		else if (r < 0) r =3D 0;
+		else if (!r) {
 			memset(q, 0, n);
 			break;
 		}
=2D-
2.17.1


--T4sUOijqQbZv57TR--