Module Name: src
Committed By: riastradh
Date: Wed Nov 23 23:53:53 UTC 2022
Modified Files:
src/sys/uvm: uvm_map.c
Log Message:
mmap(2): Avoid arithmetic overflow in search for free space.
PR kern/56900
Reported-by: [email protected]
https://syzkaller.appspot.com/bug?id=e542bcf59b2564cca1cb38c12f076fb08dcac37e
To generate a diff of this commit:
cvs rdiff -u -r1.402 -r1.403 src/sys/uvm/uvm_map.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/uvm/uvm_map.c
diff -u src/sys/uvm/uvm_map.c:1.402 src/sys/uvm/uvm_map.c:1.403
--- src/sys/uvm/uvm_map.c:1.402 Wed Jun 8 16:55:00 2022
+++ src/sys/uvm/uvm_map.c Wed Nov 23 23:53:53 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_map.c,v 1.402 2022/06/08 16:55:00 macallan Exp $ */
+/* $NetBSD: uvm_map.c,v 1.403 2022/11/23 23:53:53 riastradh Exp $ */
/*
* Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -66,7 +66,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_map.c,v 1.402 2022/06/08 16:55:00 macallan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_map.c,v 1.403 2022/11/23 23:53:53 riastradh Exp $");
#include "opt_ddb.h"
#include "opt_pax.h"
@@ -1994,7 +1994,20 @@ uvm_map_findspace(struct vm_map *map, va
/* Try to find the space in the red-black tree */
/* Check slot before any entry */
- hint = topdown ? entry->next->start - length : entry->end;
+ if (topdown) {
+ KASSERTMSG(entry->next->start >= vm_map_min(map),
+ "map=%p entry=%p entry->next=%p"
+ " entry->next->start=0x%"PRIxVADDR" min=0x%"PRIxVADDR,
+ map, entry, entry->next,
+ entry->next->start, vm_map_min(map));
+ if (length > entry->next->start - vm_map_min(map))
+ hint = vm_map_min(map); /* XXX goto wraparound? */
+ else
+ hint = entry->next->start - length;
+ KASSERT(hint >= vm_map_min(map));
+ } else {
+ hint = entry->end;
+ }
INVARIANTS();
avail = uvm_map_space_avail(&hint, length, uoffset, align, flags,
topdown, entry);
