Page MenuHomeFreeBSD

Check for wrap-around in vm_phys_alloc_seg_contig().
ClosedPublic

Authored by kib on Mar 20 2018, 10:27 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Nov 20, 11:30 AM
Unknown Object (File)
Thu, Nov 7, 5:51 PM
Unknown Object (File)
Mon, Oct 28, 2:45 AM
Unknown Object (File)
Oct 1 2024, 3:52 PM
Unknown Object (File)
Sep 30 2024, 7:43 AM
Unknown Object (File)
Sep 27 2024, 3:26 PM
Unknown Object (File)
Sep 21 2024, 8:10 AM
Unknown Object (File)
Sep 21 2024, 3:57 AM
Subscribers

Details

Summary

It is possible to provide insane values for size in contigmalloc(9) request, which usually not reaches the phys allocator due to failing KVA allocation. But with the 4/4 i386, where 32bit architecture has almost 4G KVA, contigmalloc(1G) is not unreasonable outright and KVA might be available sometimes.

Then, the calculation of pa_end could wrap around, depending on the physical address, and the checks in vm_phys_alloc_seg_contig() would pass while the iteration in the loop after the 'done' label goes out of the vm_page_array bounds.

Fix it by detecting the wrap.

Reported and tested by: pho

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 15656

Event Timeline

kib added a subscriber: pho.
sys/vm/vm_phys.c
1192

Doesn't the first condition suffice?

Remove redundant check.

This revision is now accepted and ready to land.Mar 20 2018, 3:39 PM
This revision was automatically updated to reflect the committed changes.