[src/trunk]: src/sys/uvm PR/52078: Don't panic on 0 allocation, check more bo...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/c9984887d923
branches:  trunk
changeset: 822351:c9984887d923
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Mar 15 20:25:41 2017 +0000

description:
PR/52078: Don't panic on 0 allocation, check more bounds.

diffstat:

 sys/uvm/uvm_map.c |  32 ++++++++++++++++++++------------
 1 files changed, 20 insertions(+), 12 deletions(-)

diffs (78 lines):

diff -r 2497f540edb2 -r c9984887d923 sys/uvm/uvm_map.c
--- a/sys/uvm/uvm_map.c Wed Mar 15 16:42:18 2017 +0000
+++ b/sys/uvm/uvm_map.c Wed Mar 15 20:25:41 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: uvm_map.c,v 1.342 2016/12/01 02:09:03 mrg Exp $        */
+/*     $NetBSD: uvm_map.c,v 1.343 2017/03/15 20:25:41 christos Exp $   */
 
 /*
  * Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -66,7 +66,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_map.c,v 1.342 2016/12/01 02:09:03 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_map.c,v 1.343 2017/03/15 20:25:41 christos Exp $");
 
 #include "opt_ddb.h"
 #include "opt_uvmhist.h"
@@ -4892,15 +4892,25 @@
        char *dp;
        size_t count, vmesize;
 
-       vme = NULL;
-       vmesize = *oldlenp;
-       count = 0;
-       if (oldp && *oldlenp > 1024 * 1024)
-               return E2BIG;
+       if (elem_size == 0 || elem_size > 2 * sizeof(*vme))
+               return EINVAL;
+
+       if (oldp) {
+               if (*oldlenp > 1024 * 1024)
+                       return E2BIG;
+               count = *oldlenp / elem_size;
+               if (count == 0)
+                       return ENOMEM;
+               vmesize = count * sizeof(*vme);
+       } else
+               vmesize = 0;
 
        if ((error = proc_find_locked(l, &p, pid)) != 0)
                return error;
 
+       vme = NULL;
+       count = 0;
+
        if ((error = proc_vmspace_getref(p, &vm)) != 0)
                goto out;
 
@@ -4912,7 +4922,7 @@
                vme = kmem_alloc(vmesize, KM_SLEEP);
        for (entry = map->header.next; entry != &map->header;
            entry = entry->next) {
-               if (oldp && (dp - (char *)oldp) < *oldlenp + elem_size) {
+               if (oldp && (dp - (char *)oldp) < *oldlenp) {
                        error = fill_vmentry(l, p, &vme[count], map, entry);
                        if (error)
                                goto out;
@@ -4930,8 +4940,7 @@
                const u_int esize = min(sizeof(*vme), elem_size);
                dp = oldp;
                for (size_t i = 0; i < count; i++) {
-                       if (oldp && (dp - (char *)oldp) < *oldlenp + elem_size)
-                       {
+                       if (oldp && (dp - (char *)oldp) < *oldlenp) {
                                error = sysctl_copyout(l, &vme[i], dp, esize);
                                if (error)
                                        break;
@@ -4965,8 +4974,7 @@
                if (namelen != 3)
                        return EINVAL;
                sysctl_unlock();
-               error = fill_vmentries(l, name[1], name[2],
-                   oldp, oldlenp);
+               error = fill_vmentries(l, name[1], name[2], oldp, oldlenp);
                sysctl_relock();
                return error;
        default: