I tried out the MAP_FIXED_NOREPLACE API introduced in Linux 4.17 for a minor use case in my hardened allocator and it turns out that it has been very broken since it was introduced. It can clobber adjacent mappings:
marc.info/?l=linux-mm&m=
It will hopefully be fixed in 4.19.
Conversation
Replying to
It's a serious memory corruption bug mitigated by the fact that barely anything has adopted this API. Some users of the API like the kernel itself were completely broken / incorrect before it existed, so moving to it wasn't a regression for those but wasn't a complete fix either.
1
I think the thought process for introducing this API was wrong which led to it being broken. The correct way to use MAP_FIXED and MREMAP_FIXED is replacing an existing mapping known to exist. MAP_FIXED_NOREPLACE is only an *optimization* for using mmap hints *without* MAP_FIXED.
2
1
2
It's an optimization avoiding the need to unmap the mapping created at the wrong address by a failed attempt at using a hint. It can be introduced to existing code using the pattern just by adding MAP_FIXED_NOREPLACE as a flag and it will just keep working as is on older kernels.
1
2
Replying to
Even if fixed, it seems permanently unusable unless there's a way to ensure your kernel isn't affected.
1
1
Replying to
It causes memory corruption so it's a security bug and could get a CVE assigned to encourage backporting for anyone using 4.17 and 4.18. It will hopefully be fixed before 4.19 is released. Bugs are usually a lot more subtle than this but that isn't necessarily a positive thing.
2
Show replies