diff options
| author |   kettenis <kettenis@openbsd.org> | 2016-07-30 16:43:44 +0000 |
|---|---|---|
| committer | kettenis <kettenis@openbsd.org> | 2016-07-30 16:43:44 +0000 |
| commit | d77b4202ac968dfdac8257977f51001577f61bff (patch) | |
| tree | a6ae637774d8e56734d9b5e23960bac87a9d20d9 | |
| parent | Add a few checks for potential integer overflow and underflow related to the (diff) | |
| download | wireguard-openbsd-d77b4202ac968dfdac8257977f51001577f61bff.tar.xz wireguard-openbsd-d77b4202ac968dfdac8257977f51001577f61bff.zip | |
Check for wraparound before the "commit" phase of uvm_map() and uvm_mapanon(),
to prevent hitting assertions and/or corrupting data structures during that
phase.
ok deraadt@, tedu@
| -rw-r--r-- | sys/uvm/uvm_map.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/sys/uvm/uvm_map.c b/sys/uvm/uvm_map.c index 254dd4da146..41e63bddb96 100644 --- a/sys/uvm/uvm_map.c +++ b/sys/uvm/uvm_map.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uvm_map.c,v 1.218 2016/07/29 20:44:40 tedu Exp $ */ +/* $OpenBSD: uvm_map.c,v 1.219 2016/07/30 16:43:44 kettenis Exp $ */ /* $NetBSD: uvm_map.c,v 1.86 2000/11/27 08:40:03 chs Exp $ */ /* @@ -1036,6 +1036,12 @@ uvm_mapanon(struct vm_map *map, vaddr_t *addr, vsize_t sz, goto unlock; } + /* Double-check if selected address doesn't cause overflow. */ + if (*addr + sz < *addr) { + error = ENOMEM; + goto unlock; + } + /* If we only want a query, return now. */ if (flags & UVM_FLAG_QUERY) { error = 0; @@ -1279,6 +1285,12 @@ uvm_map(struct vm_map *map, vaddr_t *addr, vsize_t sz, goto unlock; } + /* Double-check if selected address doesn't cause overflow. */ + if (*addr + sz < *addr) { + error = ENOMEM; + goto unlock; + } + KASSERT((map->flags & VM_MAP_ISVMSPACE) == VM_MAP_ISVMSPACE || uvm_maxkaddr >= *addr + sz); |