Date: Mon, 4 Oct 2021 14:18:16 GMT From: Mitchell Horne <mhorne@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: a3acb379bdea - stable/12 - rman: fix overflow in rman_reserve_resource_bound() Message-ID: <202110041418.194EIGfr049436@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/12 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=a3acb379bdea033ce08b4800cbb5a9c46a673ce1 commit a3acb379bdea033ce08b4800cbb5a9c46a673ce1 Author: Elliott Mitchell <ehem+freebsd@m5p.com> AuthorDate: 2021-09-27 17:13:19 +0000 Commit: Mitchell Horne <mhorne@FreeBSD.org> CommitDate: 2021-10-04 14:15:19 +0000 rman: fix overflow in rman_reserve_resource_bound() If the default range of [0, ~0] is given, then (~0 - 0) + 1 == 0. This in turn will cause any allocation of non-zero size to fail. Zero-sized allocations are prohibited, so add a KASSERT to this effect. History indicates it is part of the original rman code. This bug may in fact be older than some contributors. Reviewed by: mhorne MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D30280 (cherry picked from commit bcddaadbef5850ed9f040836d3f25ff57138ae28) --- sys/kern/subr_rman.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/kern/subr_rman.c b/sys/kern/subr_rman.c index 98614b85e32b..4af718695159 100644 --- a/sys/kern/subr_rman.c +++ b/sys/kern/subr_rman.c @@ -449,6 +449,8 @@ rman_reserve_resource_bound(struct rman *rm, rman_res_t start, rman_res_t end, "length %#jx, flags %x, device %s\n", rm->rm_descr, start, end, count, flags, dev == NULL ? "<null>" : device_get_nameunit(dev))); + KASSERT(count != 0, ("%s: attempted to allocate an empty range", + __func__)); KASSERT((flags & RF_FIRSTSHARE) == 0, ("invalid flags %#x", flags)); new_rflags = (flags & ~RF_FIRSTSHARE) | RF_ALLOCATED; @@ -524,7 +526,7 @@ rman_reserve_resource_bound(struct rman *rm, rman_res_t start, rman_res_t end, DPRINTF(("truncated region: [%#jx, %#jx]; size %#jx (requested %#jx)\n", rstart, rend, (rend - rstart + 1), count)); - if ((rend - rstart + 1) >= count) { + if ((rend - rstart) >= (count - 1)) { DPRINTF(("candidate region: [%#jx, %#jx], size %#jx\n", rstart, rend, (rend - rstart + 1))); if ((s->r_end - s->r_start + 1) == count) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202110041418.194EIGfr049436>