Inspired by some commits in bitrig, I did an audit for potential
integer overflows caused by converting a page number into an
offset/size/address by shifting by PAGE_SHIFT. While doing so, I
noticed that uvm_objwire/unwire really should really use voff_t
instead of off_t.
There is one potential overflow left that this diff doesn't address.
In uvm_swap.c:uvm_swap_io() there is a line that reads:
bp->b_dirtyend = npages << PAGE_SHIFT;
Potentially this could overflow, but given that the b_dirtyend member
of "struct buf" is an int, there's not much we can do about this.
ok?
Index: uvm_aobj.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_aobj.c,v
retrieving revision 1.63
diff -u -p -r1.63 uvm_aobj.c
--- uvm_aobj.c 30 Apr 2014 19:25:14 -0000 1.63
+++ uvm_aobj.c 5 May 2014 18:14:19 -0000
@@ -422,7 +422,8 @@ uao_shrink_flush(struct uvm_object *uobj
{
KASSERT(startpg < endpg);
KASSERT(uobj->uo_refs == 1);
- uao_flush(uobj, startpg << PAGE_SHIFT, endpg << PAGE_SHIFT, PGO_FREE);
+ uao_flush(uobj, (voff_t)startpg << PAGE_SHIFT,
+ (voff_t)endpg << PAGE_SHIFT, PGO_FREE);
uao_dropswap_range(uobj, startpg, endpg);
}
@@ -909,14 +910,14 @@ uao_flush(struct uvm_object *uobj, voff_
if (flags & PGO_ALLPAGES) {
start = 0;
- stop = aobj->u_pages << PAGE_SHIFT;
+ stop = (voff_t)aobj->u_pages << PAGE_SHIFT;
} else {
start = trunc_page(start);
stop = round_page(stop);
- if (stop > (aobj->u_pages << PAGE_SHIFT)) {
+ if (stop > ((voff_t)aobj->u_pages << PAGE_SHIFT)) {
printf("uao_flush: strange, got an out of range "
"flush (fixed)\n");
- stop = aobj->u_pages << PAGE_SHIFT;
+ stop = (voff_t)aobj->u_pages << PAGE_SHIFT;
}
}
@@ -1414,7 +1415,7 @@ uao_pagein_page(struct uvm_aobj *aobj, i
pg = NULL;
npages = 1;
- rv = uao_get(&aobj->u_obj, pageidx << PAGE_SHIFT,
+ rv = uao_get(&aobj->u_obj, (voff_t)pageidx << PAGE_SHIFT,
&pg, &npages, 0, VM_PROT_READ|VM_PROT_WRITE, 0, 0);
switch (rv) {
@@ -1511,7 +1512,7 @@ uao_dropswap_range(struct uvm_object *uo
int slot = elt->slots[j];
KASSERT(uvm_pagelookup(&aobj->u_obj,
- (UAO_SWHASH_ELT_PAGEIDX_BASE(elt)
+
(voff_t)(UAO_SWHASH_ELT_PAGEIDX_BASE(elt)
+ j) << PAGE_SHIFT) == NULL);
if (slot > 0) {
Index: uvm_fault.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_fault.c,v
retrieving revision 1.72
diff -u -p -r1.72 uvm_fault.c
--- uvm_fault.c 13 Apr 2014 23:14:15 -0000 1.72
+++ uvm_fault.c 5 May 2014 18:14:19 -0000
@@ -622,7 +622,7 @@ ReFault:
/* wide fault (!narrow) */
nback = min(uvmadvice[ufi.entry->advice].nback,
(ufi.orig_rvaddr - ufi.entry->start) >> PAGE_SHIFT);
- startva = ufi.orig_rvaddr - (nback << PAGE_SHIFT);
+ startva = ufi.orig_rvaddr - ((vsize_t)nback << PAGE_SHIFT);
nforw = min(uvmadvice[ufi.entry->advice].nforw,
((ufi.entry->end - ufi.orig_rvaddr) >>
PAGE_SHIFT) - 1);
@@ -664,13 +664,13 @@ ReFault:
if (uobj) {
uoff = (startva - ufi.entry->start) + ufi.entry->offset;
(void) uobj->pgops->pgo_flush(uobj, uoff, uoff +
- (nback << PAGE_SHIFT), PGO_DEACTIVATE);
+ ((vsize_t)nback << PAGE_SHIFT), PGO_DEACTIVATE);
}
/* now forget about the backpages */
if (amap)
anons += nback;
- startva += (nback << PAGE_SHIFT);
+ startva += ((vsize_t)nback << PAGE_SHIFT);
npages -= nback;
centeridx = 0;
}
Index: uvm_object.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_object.c,v
retrieving revision 1.7
diff -u -p -r1.7 uvm_object.c
--- uvm_object.c 30 May 2013 15:17:59 -0000 1.7
+++ uvm_object.c 5 May 2014 18:14:19 -0000
@@ -64,12 +64,12 @@ uvm_objinit(struct uvm_object *uobj, str
*/
int
-uvm_objwire(struct uvm_object *uobj, off_t start, off_t end,
+uvm_objwire(struct uvm_object *uobj, voff_t start, voff_t end,
struct pglist *pageq)
{
- int i, npages, error;
+ int i, npages, left, error;
struct vm_page *pgs[FETCH_PAGECOUNT];
- off_t offset = start, left;
+ voff_t offset = start;
left = (end - start) >> PAGE_SHIFT;
@@ -127,7 +127,7 @@ uvm_objwire(struct uvm_object *uobj, off
uvm_page_unbusy(pgs, npages);
left -= npages;
- offset += npages << PAGE_SHIFT;
+ offset += (voff_t)npages << PAGE_SHIFT;
}
return 0;
@@ -146,7 +146,7 @@ error:
*/
void
-uvm_objunwire(struct uvm_object *uobj, off_t start, off_t end)
+uvm_objunwire(struct uvm_object *uobj, voff_t start, voff_t end)
{
struct vm_page *pg;
off_t offset;
Index: uvm_object.h
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_object.h,v
retrieving revision 1.19
diff -u -p -r1.19 uvm_object.h
--- uvm_object.h 30 May 2013 15:17:59 -0000 1.19
+++ uvm_object.h 5 May 2014 18:14:19 -0000
@@ -97,8 +97,8 @@ RB_PROTOTYPE(uvm_objtree, vm_page, objt,
((struct vnode *)uobj)->v_flag & VTEXT)
void uvm_objinit(struct uvm_object *, struct uvm_pagerops *, int);
-int uvm_objwire(struct uvm_object *, off_t, off_t, struct pglist *);
-void uvm_objunwire(struct uvm_object *, off_t, off_t);
+int uvm_objwire(struct uvm_object *, voff_t, voff_t, struct pglist *);
+void uvm_objunwire(struct uvm_object *, voff_t, voff_t);
#endif /* _KERNEL */
Index: uvm_pager.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_pager.c,v
retrieving revision 1.65
diff -u -p -r1.65 uvm_pager.c
--- uvm_pager.c 13 Apr 2014 23:14:15 -0000 1.65
+++ uvm_pager.c 5 May 2014 18:14:19 -0000
@@ -278,7 +278,7 @@ void
uvm_pagermapout(vaddr_t kva, int npages)
{
- pmap_remove(pmap_kernel(), kva, kva + (npages << PAGE_SHIFT));
+ pmap_remove(pmap_kernel(), kva, kva + ((vsize_t)npages << PAGE_SHIFT));
pmap_update(pmap_kernel());
uvm_pseg_release(kva);
@@ -724,7 +724,8 @@ uvm_aio_aiodone(struct buf *bp)
uobj = NULL;
for (i = 0; i < npages; i++)
- pgs[i] = uvm_atopg((vaddr_t)bp->b_data + (i << PAGE_SHIFT));
+ pgs[i] = uvm_atopg((vaddr_t)bp->b_data +
+ ((vsize_t)i << PAGE_SHIFT));
uvm_pagermapout((vaddr_t)bp->b_data, npages);
#ifdef UVM_SWAP_ENCRYPT
/*
Index: uvm_swap.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_swap.c,v
retrieving revision 1.126
diff -u -p -r1.126 uvm_swap.c
--- uvm_swap.c 29 Apr 2014 09:55:28 -0000 1.126
+++ uvm_swap.c 5 May 2014 18:14:20 -0000
@@ -1780,7 +1780,7 @@ uvm_swap_io(struct vm_page **pps, int st
bp->b_vp = NULL;
buf_replacevnode(bp, swapdev_vp);
splx(s);
- bp->b_bufsize = bp->b_bcount = npages << PAGE_SHIFT;
+ bp->b_bufsize = bp->b_bcount = (long)npages << PAGE_SHIFT;
/*
* for pageouts we must set "dirtyoff" [NFS client code needs it].
Index: uvm_vnode.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_vnode.c,v
retrieving revision 1.81
diff -u -p -r1.81 uvm_vnode.c
--- uvm_vnode.c 13 Apr 2014 23:14:15 -0000 1.81
+++ uvm_vnode.c 5 May 2014 18:14:20 -0000
@@ -1159,7 +1159,7 @@ uvn_io(struct uvm_vnode *uvn, vm_page_t
*/
/* fill out uio/iov */
iov.iov_base = (caddr_t) kva;
- wanted = npages << PAGE_SHIFT;
+ wanted = (size_t)npages << PAGE_SHIFT;
if (file_offset + wanted > uvn->u_size)
wanted = uvn->u_size - file_offset; /* XXX: needed? */
iov.iov_len = wanted;
@@ -1211,7 +1211,7 @@ uvn_io(struct uvm_vnode *uvn, vm_page_t
result = EIO; /* XXX: error? */
} else if (got < PAGE_SIZE * npages && rw == UIO_READ) {
memset((void *) (kva + got), 0,
- (npages << PAGE_SHIFT) - got);
+ ((size_t)npages << PAGE_SHIFT) - got);
}
}
