Fix some potential integer overflows caused by converting a page number into

an offset/size/address by shifting by PAGE_SHIFT.  Make uvm_objwrire/unwire
use voff_t instead of off_t.  The former is the right type here even if it is
equivalent to the latter.

Inspired by a somewhat similar changes in Bitrig.

ok deraadt@, guenther@

1 files changed, 4 insertions, 4 deletions

diff --git a/sys/uvm/uvm_fault.c b/sys/uvm/uvm_fault.c
index 98e2ad24277..d739d4fc772 100644
--- a/sys/uvm/uvm_fault.c
+++ b/sys/uvm/uvm_fault.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_fault.c,v 1.72 2014/04/13 23:14:15 tedu Exp $	*/
+/*	$OpenBSD: uvm_fault.c,v 1.73 2014/05/08 20:08:50 kettenis Exp $	*/
 /*	$NetBSD: uvm_fault.c,v 1.51 2000/08/06 00:22:53 thorpej Exp $	*/
 
 /*
@@ -622,7 +622,7 @@ ReFault:
 		/* wide fault (!narrow) */
 		nback = min(uvmadvice[ufi.entry->advice].nback,
 			    (ufi.orig_rvaddr - ufi.entry->start) >> PAGE_SHIFT);
-		startva = ufi.orig_rvaddr - (nback << PAGE_SHIFT);
+		startva = ufi.orig_rvaddr - ((vsize_t)nback << PAGE_SHIFT);
 		nforw = min(uvmadvice[ufi.entry->advice].nforw,
 			    ((ufi.entry->end - ufi.orig_rvaddr) >>
 			     PAGE_SHIFT) - 1);
@@ -664,13 +664,13 @@ ReFault:
 		if (uobj) {
 			uoff = (startva - ufi.entry->start) + ufi.entry->offset;
 			(void) uobj->pgops->pgo_flush(uobj, uoff, uoff + 
-				    (nback << PAGE_SHIFT), PGO_DEACTIVATE);
+			    ((vsize_t)nback << PAGE_SHIFT), PGO_DEACTIVATE);
 		}
 
 		/* now forget about the backpages */
 		if (amap)
 			anons += nback;
-		startva += (nback << PAGE_SHIFT);
+		startva += ((vsize_t)nback << PAGE_SHIFT);
 		npages -= nback;
 		centeridx = 0;
 	}