From c9f8066697e0d3e77b97f6df423e9d6540b693be Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Fri, 24 Jul 2020 14:23:14 -0700 Subject: [PATCH] linux-user: Ensure mmap_min_addr is non-zero When the chroot does not have /proc mounted, we can read neither /proc/sys/vm/mmap_min_addr nor /proc/sys/maps. The enforcement of mmap_min_addr in the host kernel is done by the security module, and so does not apply to processes owned by root. Which leads pgd_find_hole_fallback to succeed in probing a reservation at address 0. Which confuses pgb_reserved_va to believe that guest_base has not actually been initialized. We don't actually want NULL addresses to become accessible, so make sure that mmap_min_addr is initialized with a non-zero value. Buglink: https://bugs.launchpad.net/qemu/+bug/1888728 Reported-by: John Paul Adrian Glaubitz Signed-off-by: Richard Henderson Tested-by: John Paul Adrian Glaubitz Acked-by: Laurent Vivier Message-Id: <20200724212314.545877-1-richard.henderson@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/main.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/linux-user/main.c b/linux-user/main.c index 3597e99bb1..75c9785157 100644 --- a/linux-user/main.c +++ b/linux-user/main.c @@ -758,14 +758,26 @@ int main(int argc, char **argv, char **envp) if ((fp = fopen("/proc/sys/vm/mmap_min_addr", "r")) != NULL) { unsigned long tmp; - if (fscanf(fp, "%lu", &tmp) == 1) { + if (fscanf(fp, "%lu", &tmp) == 1 && tmp != 0) { mmap_min_addr = tmp; - qemu_log_mask(CPU_LOG_PAGE, "host mmap_min_addr=0x%lx\n", mmap_min_addr); + qemu_log_mask(CPU_LOG_PAGE, "host mmap_min_addr=0x%lx\n", + mmap_min_addr); } fclose(fp); } } + /* + * We prefer to not make NULL pointers accessible to QEMU. + * If we're in a chroot with no /proc, fall back to 1 page. + */ + if (mmap_min_addr == 0) { + mmap_min_addr = qemu_host_page_size; + qemu_log_mask(CPU_LOG_PAGE, + "host mmap_min_addr=0x%lx (fallback)\n", + mmap_min_addr); + } + /* * Prepare copy of argv vector for target. */