netbsd-bugs: kern/3119: numeric overflows in subr

Subject: kern/3119: numeric overflows in subr_extent.c
To: None <gnats-bugs@gnats.netbsd.org>
From: Matthias Drochner <drochner@zelz26.zel.kfa-juelich.de>
List: netbsd-bugs
Date: 01/17/1997 18:58:49
>Number:         3119
>Category:       kern
>Synopsis:       numeric overflows in subr_extent.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jan 17 10:05:01 1997
>Last-Modified:
>Originator:     Matthias Drochner
>Organization:
	KFA Juelich
>Release:        current
>Environment:
	NetBSD-current
System: NetBSD zelz26 1.2 NetBSD 1.2 (TULIP) #21: Thu Nov 14 22:05:19 MET 1996 drochner@zelz28:/home/drochner/netbsd/sys/arch/i386/compile/TULIP i386


>Description:
	(1): "substart == ex->ex_end" and "subend == ex->ex_start"
	     are completely legal parameters for extent_alloc_subregion()
	(2): "(subend - substart) + 1" can cause an overflow if the whole
	     numeric range is covered by the extent.
>How-To-Repeat:
	???
>Fix:
*** 457,471 ****
  		panic("extent_alloc_subregion: NULL extent");
  	if (result == NULL)
  		panic("extent_alloc_subregion: NULL result pointer");
! 	if ((substart < ex->ex_start) || (substart >= ex->ex_end) ||
! 	    (subend > ex->ex_end) || (subend <= ex->ex_start)) {
    printf("extent_alloc_subregion: extent `%s', ex_start 0x%lx, ex_end 0x%lx\n",
  		    ex->ex_name, ex->ex_start, ex->ex_end);
  		printf("extent_alloc_subregion: substart 0x%lx, subend 0x%lx\n",
  		    substart, subend);
  		panic("extent_alloc_subregion: bad subregion");
  	}
! 	if ((size < 1) || (size > ((subend - substart) + 1))) {
  		printf("extent_alloc_subregion: extent `%s', size 0x%lx\n",
  		    ex->ex_name, size);
  		panic("extent_alloc_subregion: bad size");
--- 440,454 ----
  		panic("extent_alloc_subregion: NULL extent");
  	if (result == NULL)
  		panic("extent_alloc_subregion: NULL result pointer");
! 	if ((substart < ex->ex_start) || (substart > ex->ex_end) ||
! 	    (subend > ex->ex_end) || (subend < ex->ex_start)) {
    printf("extent_alloc_subregion: extent `%s', ex_start 0x%lx, ex_end 0x%lx\n",
  		    ex->ex_name, ex->ex_start, ex->ex_end);
  		printf("extent_alloc_subregion: substart 0x%lx, subend 0x%lx\n",
  		    substart, subend);
  		panic("extent_alloc_subregion: bad subregion");
  	}
! 	if ((size < 1) || ((size - 1) > (subend - substart))) {
  		printf("extent_alloc_subregion: extent `%s', size 0x%lx\n",
  		    ex->ex_name, size);
  		panic("extent_alloc_subregion: bad size");
***************

>Audit-Trail:
>Unformatted: