git: 7658c4f8c727 - stable/14 - vm_phys_avail_count(): Fix out-of-bounds accesses
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 08 Apr 2025 13:40:40 UTC
The branch stable/14 has been updated by olce:
URL: https://cgit.FreeBSD.org/src/commit/?id=7658c4f8c727e3f646e49824e2ac5ce2372af897
commit 7658c4f8c727e3f646e49824e2ac5ce2372af897
Author: Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2024-10-28 16:22:28 +0000
Commit: Olivier Certner <olce@FreeBSD.org>
CommitDate: 2025-04-08 13:38:21 +0000
vm_phys_avail_count(): Fix out-of-bounds accesses
On improper termination of phys_avail[] (two consecutive 0 starting at
an even index), this function would (unnecessarily) continue searching
for the termination markers even if the index was out of bounds.
Reviewed by: markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48629
(cherry picked from commit 291b7bf071e8b50f2b7877213b2d3307ae5d3e38)
---
sys/vm/vm_phys.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/sys/vm/vm_phys.c b/sys/vm/vm_phys.c
index 3f8c37b4c2bf..34a003fe0ab0 100644
--- a/sys/vm/vm_phys.c
+++ b/sys/vm/vm_phys.c
@@ -1599,12 +1599,10 @@ vm_phys_avail_count(void)
{
int i;
- for (i = 0; phys_avail[i + 1]; i += 2)
- continue;
- if (i > PHYS_AVAIL_ENTRIES)
- panic("Improperly terminated phys_avail %d entries", i);
-
- return (i);
+ for (i = 0; i < PHYS_AVAIL_COUNT; i += 2)
+ if (phys_avail[i] == 0 && phys_avail[i + 1] == 0)
+ return (i);
+ panic("Improperly terminated phys_avail[]");
}
/*