From c00ae961ff8dbc036322fdb41137a7dedac005c9 Mon Sep 17 00:00:00 2001 From: Maciej Czekaj Date: Wed, 28 Sep 2016 12:52:57 +0200 Subject: [PATCH] mem: fix crash on hugepage mapping error In ASLR-enabled system, it is possible that selected virtual space is occupied by program segments. Therefore, error path should not blindly unmap all memmory segments but only those already mapped. Steps that lead to crash: 1. memeseg 0 in secondary process overlaps with libc.so 2. mmap of /dev/zero fails for virtual space of memseg 0 3. munmap of memseg 0 leads to unmapping libc.so itself 4. app gets SIGSEGV after returning from syscall to libc Fixes: ea329d7f8e34 ("mem: fix leak after mapping failure") Signed-off-by: Maciej Czekaj --- lib/librte_eal/linuxapp/eal/eal_memory.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c index 8add643436..b0049e2e94 100644 --- a/lib/librte_eal/linuxapp/eal/eal_memory.c +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c @@ -1278,6 +1278,7 @@ rte_eal_hugepage_attach(void) struct hugepage_file *hp = NULL; unsigned num_hp = 0; unsigned i, s = 0; /* s used to track the segment number */ + unsigned max_seg = RTE_MAX_MEMSEG; off_t size; int fd, fd_zero = -1, fd_hugepage = -1; @@ -1336,6 +1337,9 @@ rte_eal_hugepage_attach(void) "in /dev/zero to requested address [%p]: '%s'\n", (unsigned long long)mcfg->memseg[s].len, mcfg->memseg[s].addr, strerror(errno)); + max_seg = s; + if (base_addr != MAP_FAILED) + munmap(base_addr, mcfg->memseg[s].len); if (aslr_enabled() > 0) { RTE_LOG(ERR, EAL, "It is recommended to " "disable ASLR in the kernel " @@ -1404,11 +1408,8 @@ rte_eal_hugepage_attach(void) return 0; error: - s = 0; - while (s < RTE_MAX_MEMSEG && mcfg->memseg[s].len > 0) { - munmap(mcfg->memseg[s].addr, mcfg->memseg[s].len); - s++; - } + for (i = 0; i < max_seg && mcfg->memseg[i].len > 0; i++) + munmap(mcfg->memseg[i].addr, mcfg->memseg[i].len); if (hp != NULL && hp != MAP_FAILED) munmap(hp, size); if (fd_zero >= 0) -- 2.20.1