The branch main has been updated by olce:
URL:
https://cgit.FreeBSD.org/src/commit/?id=291b7bf071e8b50f2b7877213b2d3307ae5d3e38
commit 291b7bf071e8b50f2b7877213b2d3307ae5d3e38
Author: Olivier Certner <o...@freebsd.org>
AuthorDate: 2024-10-28 16:22:28 +0000
Commit: Olivier Certner <o...@freebsd.org>
CommitDate: 2025-02-19 14:13:27 +0000
vm_phys_avail_count(): Fix out-of-bounds accesses
On improper termination of phys_avail[] (two consecutive 0 starting at
an even index), this function would (unnecessarily) continue searching
for the termination markers even if the index was out of bounds.
Reviewed by: markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48629
---
sys/vm/vm_phys.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/sys/vm/vm_phys.c b/sys/vm/vm_phys.c
index 3b3b3cb16bb9..e2b5a6e21365 100644
--- a/sys/vm/vm_phys.c
+++ b/sys/vm/vm_phys.c
@@ -1782,12 +1782,10 @@ vm_phys_avail_count(void)
{
int i;
- for (i = 0; phys_avail[i + 1]; i += 2)
- continue;
- if (i > PHYS_AVAIL_ENTRIES)
- panic("Improperly terminated phys_avail %d entries", i);
-
- return (i);
+ for (i = 0; i < PHYS_AVAIL_COUNT; i += 2)
+ if (phys_avail[i] == 0 && phys_avail[i + 1] == 0)
+ return (i);
+ panic("Improperly terminated phys_avail[]");
}
/*
