Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 18 Nov 2007 18:59:48 +0900 (JST)
From:      KOIE Hidetaka (=?iso-2022-jp?B?GyRCOHE5PjFRTjQhdz90TX01OzgmGyhC?=) <koie@suri.co.jp>
To:        kmacy@FreeBSD.org
Cc:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/68765: [mmap] a little data can be stored beyond EOF.
Message-ID:  <20071118.185948.48396210718579169.koie@suri.co.jp>
In-Reply-To: <200711180820.lAI8KAB0057218@freefall.freebsd.org>
References:  <200711180820.lAI8KAB0057218@freefall.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
  Message-Id: <200711180820.lAI8KAB0057218@freefall.freebsd.org>
  Date:       Sun, 18 Nov 2007 08:20:10 GMT
  From:       kmacy@FreeBSD.org
  Subject:    Re: kern/68765: [mmap] a little data can be stored beyon..

  | Synopsis: [mmap] a little data can be stored beyond EOF.
  | 
  | State-Changed-From-To: open->feedback
  | State-Changed-By: kmacy
  | State-Changed-When: Sun Nov 18 08:19:22 UTC 2007
  | State-Changed-Why: 
  | 
  | Does this still occur? If so please mail your test case inline.
  | 
  | http://www.freebsd.org/cgi/query-pr.cgi?pr=68765
  | 

Yes.

koie@guriandgura% uname -a
FreeBSD guriandgura 8.0-CURRENT FreeBSD 8.0-CURRENT #2: Fri Nov 16 14:33:17 JST 2007     koie@guriandgura:/usr/obj/usr/src/sys/GURIANDGURA  amd64
koie@guriandgura% cd /tmp
koie@guriandgura% df /tmp
Filesystem 1024-blocks Used      Avail Capacity  Mounted on
tank/tmp    1305033600  128 1305033472     0%    /tmp    <==== /tmp is ZFS now.
koie@guriandgura% cat -n hole.c
     1	#include <assert.h>
     2	#include <stdio.h>
     3	#include <stdlib.h>
     4	#include <string.h>
     5	#include <fcntl.h>
     6	#include <sys/types.h>
     7	#include <sys/mman.h>
     8	#include <unistd.h>
     9	
    10	int PAGESIZE;
    11	
    12	#define FILE "empty.dat"
    13	#define SECRET_OFF 1000
    14	int ordinary_size;
    15	
    16	int
    17	w()
    18	{
    19	    int rc = -1;
    20	    int fd;
    21	
    22	    // write a ordinary data nomally
    23	    if ((fd = open(FILE, O_RDWR|O_CREAT|O_TRUNC, 0600)) < 0) {
    24		perror("open");
    25		goto out;
    26	    }
    27	    char buf[] = "TEST";
    28	    if (write(fd, buf, sizeof buf) != sizeof buf) {
    29		perror("write");
    30		goto out;
    31	    }
    32	    ordinary_size = lseek(fd, 0, SEEK_CUR);
    33	
    34	    // put a hidden data beyond EOF
    35	    char *addr = mmap(0, PAGESIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
    36	    if (addr == MAP_FAILED) {
    37		perror("mmap");
    38		goto out;
    39	    }
    40	    assert (ordinary_size < SECRET_OFF);
    41	    strcpy(addr+SECRET_OFF, "SECRET");
    42	
    43	    // finalize
    44	    if (close(fd) < 0) {
    45		perror("close");
    46		goto out;
    47	    }
    48	    if (munmap(addr, PAGESIZE) < 0) {
    49		perror("munmap");
    50		goto out;
    51	    }
    52	    rc = 0;
    53	 out:
    54	    return rc;
    55	}
    56	
    57	int
    58	r()
    59	{
    60	    int rc = -1;
    61	    int fd;
    62	    int n;
    63	    char buf[PAGESIZE];
    64	    char *addr;
    65	
    66	    // using read normally, get a ordinary data.
    67	    if ((fd = open(FILE, O_RDONLY)) < 0) {
    68		perror("open");
    69		goto out;
    70	    }
    71	    if ((n = read(fd, buf, sizeof buf)) < 0) {
    72		perror("read");
    73		goto out;
    74	    }
    75	    printf("read n=%d buf=<%s>\n", n, buf);
    76	
    77	    // using mmap, extract a hidden data.
    78	    addr = mmap(0, PAGESIZE, PROT_READ, MAP_PRIVATE, fd, 0);
    79	    if (addr == MAP_FAILED) {
    80		perror("mmap");
    81		goto out;
    82	    }
    83	    printf("SECRET_OFF=<%s>\n", addr+SECRET_OFF);
    84	
    85	    // finalize
    86	    if (close(fd) < 0) {
    87		perror("close");
    88		goto out;
    89	    }
    90	    if (munmap(addr, PAGESIZE) < 0) {
    91		perror("munmap");
    92		goto out;
    93	    }
    94	    rc = 0;
    95	 out:
    96	    return rc;
    97	}
    98	
    99	int
   100	main()
   101	{
   102	    PAGESIZE = sysconf(_SC_PAGESIZE);
   103	    if (w() < 0)
   104		goto out;
   105	    if (r() < 0)
   106		goto out;
   107	#if 1
   108	    /* erase */
   109	    truncate(FILE, ordinary_size+1);
   110	    truncate(FILE, ordinary_size);
   111	#endif
   112	    if (r() < 0)
   113		goto out;
   114	 out:
   115	    exit(0);
   116	}
koie@guriandgura% cc -o hole hole.c
koie@guriandgura% ./hole
read n=5 buf=<TEST>
SECRET_OFF=<SECRET>                 <=== "SECRET" is put beyond EOF.
read n=5 buf=<TEST>
SECRET_OFF=<>                       <=== "SECRET" is zero-filled by truncate().
koie@guriandgura% cd /tmp.ufs
koie@guriandgura% df /tmp.ufs       <=== test on UFS2.
Filesystem  1024-blocks   Used  Avail Capacity  Mounted on
/dev/ad4s2e      507630 320244 146776    69%    /tmp.ufs
koie@guriandgura% /tmp/hole
read n=5 buf=<TEST>
SECRET_OFF=<SECRET>
read n=5 buf=<TEST>
SECRET_OFF=<>
koie@guriandgura% 

--
KOIE Hidetaka / koie@suri.co.jp / SURIGIKEN Co.,LTD.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071118.185948.48396210718579169.koie>