Fri Aug 18 14:53:10 2017 UTC ()
Pull up following revision(s) (requested by martin in ticket #1465):
	sys/kern/kern_malloc.c: revision 1.146
Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel.


(snj)
diff -r1.138 -r1.138.2.1 src/sys/kern/kern_malloc.c
cvs diff -r1.138 -r1.138.2.1 src/sys/kern/kern_malloc.c (expand / switch to unified diff)

--- src/sys/kern/kern_malloc.c 2012/02/06 12:13:44 1.138
+++ src/sys/kern/kern_malloc.c 2017/08/18 14:53:10 1.138.2.1
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $ */ 1/* $NetBSD: kern_malloc.c,v 1.138.2.1 2017/08/18 14:53:10 snj Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1987, 1991, 1993 4 * Copyright (c) 1987, 1991, 1993
5 * The Regents of the University of California. All rights reserved. 5 * The Regents of the University of California. All rights reserved.
6 * 6 *
7 * Redistribution and use in source and binary forms, with or without 7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions 8 * modification, are permitted provided that the following conditions
9 * are met: 9 * are met:
10 * 1. Redistributions of source code must retain the above copyright 10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer. 11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the 13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution. 14 * documentation and/or other materials provided with the distribution.
@@ -56,27 +56,27 @@ @@ -56,27 +56,27 @@
56 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63 * SUCH DAMAGE. 63 * SUCH DAMAGE.
64 * 64 *
65 * @(#)kern_malloc.c 8.4 (Berkeley) 5/20/95 65 * @(#)kern_malloc.c 8.4 (Berkeley) 5/20/95
66 */ 66 */
67 67
68#include <sys/cdefs.h> 68#include <sys/cdefs.h>
69__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138 2012/02/06 12:13:44 drochner Exp $"); 69__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.138.2.1 2017/08/18 14:53:10 snj Exp $");
70 70
71#include <sys/param.h> 71#include <sys/param.h>
72#include <sys/proc.h> 72#include <sys/proc.h>
73#include <sys/kernel.h> 73#include <sys/kernel.h>
74#include <sys/malloc.h> 74#include <sys/malloc.h>
75#include <sys/kmem.h> 75#include <sys/kmem.h>
76#include <sys/systm.h> 76#include <sys/systm.h>
77#include <sys/debug.h> 77#include <sys/debug.h>
78#include <sys/mutex.h> 78#include <sys/mutex.h>
79#include <sys/lockdebug.h> 79#include <sys/lockdebug.h>
80 80
81#include <uvm/uvm_extern.h> 81#include <uvm/uvm_extern.h>
82 82
@@ -103,27 +103,30 @@ void * @@ -103,27 +103,30 @@ void *
103_kern_malloc(unsigned long size, struct malloc_type *ksp, int flags, 103_kern_malloc(unsigned long size, struct malloc_type *ksp, int flags,
104 const char *file, long line) 104 const char *file, long line)
105#else 105#else
106void * 106void *
107kern_malloc(unsigned long size, struct malloc_type *ksp, int flags) 107kern_malloc(unsigned long size, struct malloc_type *ksp, int flags)
108#endif /* MALLOCLOG */ 108#endif /* MALLOCLOG */
109{ 109{
110 const int kmflags = (flags & M_NOWAIT) ? KM_NOSLEEP : KM_SLEEP; 110 const int kmflags = (flags & M_NOWAIT) ? KM_NOSLEEP : KM_SLEEP;
111 size_t allocsize, hdroffset; 111 size_t allocsize, hdroffset;
112 struct malloc_header *mh; 112 struct malloc_header *mh;
113 void *p; 113 void *p;
114 114
115 if (size >= PAGE_SIZE) { 115 if (size >= PAGE_SIZE) {
116 allocsize = PAGE_SIZE + size; /* for page alignment */ 116 if (size > (ULONG_MAX-PAGE_SIZE))
 117 allocsize = ULONG_MAX; /* this will fail later */
 118 else
 119 allocsize = PAGE_SIZE + size; /* for page alignment */
117 hdroffset = PAGE_SIZE - sizeof(struct malloc_header); 120 hdroffset = PAGE_SIZE - sizeof(struct malloc_header);
118 } else { 121 } else {
119 allocsize = sizeof(struct malloc_header) + size; 122 allocsize = sizeof(struct malloc_header) + size;
120 hdroffset = 0; 123 hdroffset = 0;
121 } 124 }
122 125
123 p = kmem_intr_alloc(allocsize, kmflags); 126 p = kmem_intr_alloc(allocsize, kmflags);
124 if (p == NULL) 127 if (p == NULL)
125 return NULL; 128 return NULL;
126 129
127 if ((flags & M_ZERO) != 0) { 130 if ((flags & M_ZERO) != 0) {
128 memset(p, 0, allocsize); 131 memset(p, 0, allocsize);
129 } 132 }