linux-user: Fix signed math overflow in brk() syscall

Fix the math overflow when calculating the new_malloc_size. new_host_brk_page and brk_page are unsigned integers. If userspace reduces the heap, new_host_brk_page is lower than brk_page which results in a huge positive number (but should actually be negative). Fix it by adding a proper check and as such make the code more readable. Signed-off-by: Helge Deller <deller@gmx.de> Tested-by: "Markus F.X.J. Oberhumer" <markus@oberhumer.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Fixes: 86f0473 ("linux-user: Fix brk() to release pages") Cc: qemu-stable@nongnu.org Buglink: upx/upx#683 (cherry picked from commit eac78a4) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
qemu · Jul 31, 2023 · f90a8b9 · f90a8b9
1 parent c4a4731
commit f90a8b9
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
@@ -860,12 +860,13 @@ abi_long do_brk(abi_ulong brk_val)
      * itself); instead we treat "mapped but at wrong address" as
      * a failure and unmap again.
      */
-    new_alloc_size = new_host_brk_page - brk_page;
-    if (new_alloc_size) {
+    if (new_host_brk_page > brk_page) {
+        new_alloc_size = new_host_brk_page - brk_page;
         mapped_addr = get_errno(target_mmap(brk_page, new_alloc_size,
                                         PROT_READ|PROT_WRITE,
                                         MAP_ANON|MAP_PRIVATE, 0, 0));
     } else {
+        new_alloc_size = 0;
         mapped_addr = brk_page;
     }