From owner-svn-src-head@freebsd.org Sat Jul 1 23:39:51 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90D36D95320; Sat, 1 Jul 2017 23:39:51 +0000 (UTC) (envelope-from alc@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 550AC76AD0; Sat, 1 Jul 2017 23:39:51 +0000 (UTC) (envelope-from alc@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v61Ndo8S076164; Sat, 1 Jul 2017 23:39:50 GMT (envelope-from alc@FreeBSD.org) Received: (from alc@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v61NdoE9076163; Sat, 1 Jul 2017 23:39:50 GMT (envelope-from alc@FreeBSD.org) Message-Id: <201707012339.v61NdoE9076163@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: alc set sender to alc@FreeBSD.org using -f From: Alan Cox Date: Sat, 1 Jul 2017 23:39:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r320560 - head/sys/vm X-SVN-Group: head X-SVN-Commit-Author: alc X-SVN-Commit-Paths: head/sys/vm X-SVN-Commit-Revision: 320560 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Jul 2017 23:39:51 -0000 Author: alc Date: Sat Jul 1 23:39:49 2017 New Revision: 320560 URL: https://svnweb.freebsd.org/changeset/base/320560 Log: Modify vm_map_growstack() to protect itself from the possibility of the gap entry in the vm map being smaller than the sysctl-derived stack guard size. Otherwise, the value of max_grow can suffer from overflow, and the roundup(grow_amount, sgrowsiz) will not be properly capped, resulting in an assertion failure. In collaboration with: kib MFC after: 3 days Modified: head/sys/vm/vm_map.c Modified: head/sys/vm/vm_map.c ============================================================================== --- head/sys/vm/vm_map.c Sat Jul 1 22:54:52 2017 (r320559) +++ head/sys/vm/vm_map.c Sat Jul 1 23:39:49 2017 (r320560) @@ -3685,7 +3685,7 @@ vm_map_growstack(vm_map_t map, vm_offset_t addr, vm_ma struct vmspace *vm; struct ucred *cred; vm_offset_t gap_end, gap_start, grow_start; - size_t grow_amount, max_grow; + size_t grow_amount, guard, max_grow; rlim_t lmemlim, stacklim, vmemlim; int rv, rv1; bool gap_deleted, grow_down, is_procstack; @@ -3701,6 +3701,7 @@ vm_map_growstack(vm_map_t map, vm_offset_t addr, vm_ma MPASS(map == &p->p_vmspace->vm_map); MPASS(!map->system_map); + guard = stack_guard_page * PAGE_SIZE; lmemlim = lim_cur(curthread, RLIMIT_MEMLOCK); stacklim = lim_cur(curthread, RLIMIT_STACK); vmemlim = lim_cur(curthread, RLIMIT_VMEM); @@ -3727,8 +3728,10 @@ retry: } else { return (KERN_FAILURE); } - max_grow = gap_entry->end - gap_entry->start - stack_guard_page * - PAGE_SIZE; + max_grow = gap_entry->end - gap_entry->start; + if (guard > max_grow) + return (KERN_NO_SPACE); + max_grow -= guard; if (grow_amount > max_grow) return (KERN_NO_SPACE);