From: Jann Horn <jannh@google.com>
To: Alejandro Colomar <alx@kernel.org>
Cc: linux-man@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
"Liam R . Howlett" <Liam.Howlett@oracle.com>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Vlastimil Babka <vbabka@suse.cz>,
linux-mm@kvack.org
Subject: [PATCH man] mmap.2: Document danger of mappings larger than PTRDIFF_MAX
Date: Wed, 9 Apr 2025 22:03:16 +0200 [thread overview]
Message-ID: <20250409200316.1555164-1-jannh@google.com> (raw)
References:
- C99 draft: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf
section "6.5.6 Additive operators", paragraph 9
- object size restriction in GCC:
https://gcc.gnu.org/legacy-ml/gcc/2011-08/msg00221.html
- glibc malloc restricts object size to <=PTRDIFF_MAX in
checked_request2size()
---
I'm not sure if we can reasonably do anything about this in the kernel,
given that the kernel does not really have any idea of what userspace
object sizes look like, or whether userspace even wants C semantics.
But we can at least document it...
@man-pages maintainer: Please wait a few days before applying this;
I imagine there might be some discussion about this.
man/man2/mmap.2 | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/man/man2/mmap.2 b/man/man2/mmap.2
index caf822103..9cb7dacf3 100644
--- a/man/man2/mmap.2
+++ b/man/man2/mmap.2
@@ -785,6 +785,23 @@ correspond to added or removed regions of the file is unspecified.
An application can determine which pages of a mapping are
currently resident in the buffer/page cache using
.BR mincore (2).
+.P
+Unlike typical
+.BR malloc (3)
+implementations,
+.BR mmap ()
+does not prevent creating objects larger than
+.B PTRDIFF_MAX.
+Objects that are larger than
+.B PTRDIFF_MAX
+only work in limited ways in standard C (in particular, pointer subtraction
+results in undefined behavior if the result would be bigger than
+.B PTRDIFF_MAX).
+On top of that, GCC also assumes that no object is bigger than
+.B PTRDIFF_MAX.
+.B PTRDIFF_MAX
+is usually half of the address space size; so for 32-bit processes, it is
+usually 0x7fffffff (almost 2 GiB).
.\"
.SS Using MAP_FIXED safely
The only safe use for
base-commit: 4c4d9f0f5148caf1271394018d0f7381c1b8b400
--
2.49.0.504.g3bcea36a83-goog
next reply other threads:[~2025-04-09 20:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-09 20:03 Jann Horn [this message]
2025-04-09 20:25 ` Jakub Wilk
2025-04-09 20:41 ` Alejandro Colomar
2025-04-10 18:08 ` Jann Horn
2025-04-10 20:30 ` Alejandro Colomar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250409200316.1555164-1-jannh@google.com \
--to=jannh@google.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=alx@kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox