On Mon, May 5, 2014 at 11:27 AM, Mark Kettenis <[email protected]>wrote:
> Inspired by some commits in bitrig, I did an audit for potential > integer overflows caused by converting a page number into an > offset/size/address by shifting by PAGE_SHIFT. While doing so, I > noticed that uvm_objwire/unwire really should really use voff_t > instead of off_t. > Looks good to me! There is one potential overflow left that this diff doesn't address. > In uvm_swap.c:uvm_swap_io() there is a line that reads: > > bp->b_dirtyend = npages << PAGE_SHIFT; > > Potentially this could overflow, but given that the b_dirtyend member > of "struct buf" is an int, there's not much we can do about this. > Hard to see through my shades turning black, but it sure looks to me like b_dirtyend is only important to the NFS code, where it's an offset within the bufs, or maybe within chunks of size nm_rsize, which is capped to 64k? > ok? > Yep. Philip Guenther
