diff options
| author | Mark Kettenis <kettenis@cvs.openbsd.org> | 2014-05-08 20:08:51 +0000 |
|---|---|---|
| committer | Mark Kettenis <kettenis@cvs.openbsd.org> | 2014-05-08 20:08:51 +0000 |
| commit | 99aa65719601eb340e970ab268bc9c21d0e1d3eb (patch) | |
| tree | 5c6213afd1d088a2e54cecd7730495d26e01c29e /sys/uvm/uvm_aobj.c | |
| parent | a72d335afe366ee5df254bd5fe8a2be3554b8ae0 (diff) | |
Fix some potential integer overflows caused by converting a page number into
an offset/size/address by shifting by PAGE_SHIFT. Make uvm_objwrire/unwire
use voff_t instead of off_t. The former is the right type here even if it is
equivalent to the latter.
Inspired by a somewhat similar changes in Bitrig.
ok deraadt@, guenther@
Diffstat (limited to 'sys/uvm/uvm_aobj.c')
| -rw-r--r-- | sys/uvm/uvm_aobj.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/sys/uvm/uvm_aobj.c b/sys/uvm/uvm_aobj.c index 173d469f584..153ca4d4716 100644 --- a/sys/uvm/uvm_aobj.c +++ b/sys/uvm/uvm_aobj.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uvm_aobj.c,v 1.63 2014/04/30 19:25:14 kettenis Exp $ */ +/* $OpenBSD: uvm_aobj.c,v 1.64 2014/05/08 20:08:50 kettenis Exp $ */ /* $NetBSD: uvm_aobj.c,v 1.39 2001/02/18 21:19:08 chs Exp $ */ /* @@ -422,7 +422,8 @@ uao_shrink_flush(struct uvm_object *uobj, int startpg, int endpg) { KASSERT(startpg < endpg); KASSERT(uobj->uo_refs == 1); - uao_flush(uobj, startpg << PAGE_SHIFT, endpg << PAGE_SHIFT, PGO_FREE); + uao_flush(uobj, (voff_t)startpg << PAGE_SHIFT, + (voff_t)endpg << PAGE_SHIFT, PGO_FREE); uao_dropswap_range(uobj, startpg, endpg); } @@ -909,14 +910,14 @@ uao_flush(struct uvm_object *uobj, voff_t start, voff_t stop, int flags) if (flags & PGO_ALLPAGES) { start = 0; - stop = aobj->u_pages << PAGE_SHIFT; + stop = (voff_t)aobj->u_pages << PAGE_SHIFT; } else { start = trunc_page(start); stop = round_page(stop); - if (stop > (aobj->u_pages << PAGE_SHIFT)) { + if (stop > ((voff_t)aobj->u_pages << PAGE_SHIFT)) { printf("uao_flush: strange, got an out of range " "flush (fixed)\n"); - stop = aobj->u_pages << PAGE_SHIFT; + stop = (voff_t)aobj->u_pages << PAGE_SHIFT; } } @@ -1414,7 +1415,7 @@ uao_pagein_page(struct uvm_aobj *aobj, int pageidx) pg = NULL; npages = 1; - rv = uao_get(&aobj->u_obj, pageidx << PAGE_SHIFT, + rv = uao_get(&aobj->u_obj, (voff_t)pageidx << PAGE_SHIFT, &pg, &npages, 0, VM_PROT_READ|VM_PROT_WRITE, 0, 0); switch (rv) { @@ -1511,7 +1512,7 @@ uao_dropswap_range(struct uvm_object *uobj, voff_t start, voff_t end) int slot = elt->slots[j]; KASSERT(uvm_pagelookup(&aobj->u_obj, - (UAO_SWHASH_ELT_PAGEIDX_BASE(elt) + (voff_t)(UAO_SWHASH_ELT_PAGEIDX_BASE(elt) + j) << PAGE_SHIFT) == NULL); if (slot > 0) { |