Module Name: src
Committed By: hannken
Date: Fri Jan 13 15:46:40 UTC 2023
Modified Files:
src/sys/dev: md.c
Log Message:
It is not sufficient to have a comment /* Sanity check the size. */,
also check the size is greater than zero and a multiple of DEV_BSIZE.
Reported-by: syzbot+318187e5124846542...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.86 -r1.87 src/sys/dev/md.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/md.c
diff -u src/sys/dev/md.c:1.86 src/sys/dev/md.c:1.87
--- src/sys/dev/md.c:1.86 Sat Sep 24 23:20:13 2022
+++ src/sys/dev/md.c Fri Jan 13 15:46:40 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: md.c,v 1.86 2022/09/24 23:20:13 thorpej Exp $ */
+/* $NetBSD: md.c,v 1.87 2023/01/13 15:46:40 hannken Exp $ */
/*
* Copyright (c) 1995 Gordon W. Ross, Leo Weppelman.
@@ -40,7 +40,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: md.c,v 1.86 2022/09/24 23:20:13 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: md.c,v 1.87 2023/01/13 15:46:40 hannken Exp $");
#ifdef _KERNEL_OPT
#include "opt_md.h"
@@ -589,10 +589,13 @@ md_ioctl_kalloc(struct md_softc *sc, str
vaddr_t addr;
vsize_t size;
- mutex_exit(&sc->sc_lock);
-
/* Sanity check the size. */
size = umd->md_size;
+ if (size < DEV_BSIZE || (size % DEV_BSIZE) != 0)
+ return EINVAL;
+
+ mutex_exit(&sc->sc_lock);
+
addr = uvm_km_alloc(kernel_map, size, 0, UVM_KMF_WIRED|UVM_KMF_ZERO);
mutex_enter(&sc->sc_lock);
