Date: Thu, 20 Sep 2018 13:44:50 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 231515] Potential out-of-bounds access in function pmap_bootstrap (sys/riscv/riscv/pmap.c) Message-ID: <bug-231515-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231515 Bug ID: 231515 Summary: Potential out-of-bounds access in function pmap_bootstrap (sys/riscv/riscv/pmap.c) Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 197279 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D197279&action= =3Dedit Patch_for_RISCV_OUT-OF-BOUNDS-ACCESS There is a potential out-of-bounds access in function pmap_bootstrap (sys/riscv/riscv/pmap.c). 563 void 564 pmap_bootstrap(vm_offset_t l1pt, vm_paddr_t kernstart, vm_size_t kernl= en) 565 { 566 u_int l1_slot, l2_slot, avail_slot, map_slot, used_map_slot; 567 uint64_t kern_delta; 568 pt_entry_t *l2; 569 vm_offset_t va, freemempos; 570 vm_offset_t dpcpu, msgbufpv; 571 vm_paddr_t pa, min_pa, max_pa; 572 int i; ... 621 map_slot =3D avail_slot =3D 0; 622 for (; map_slot < (physmap_idx * 2); map_slot +=3D 2) { 623 if (physmap[map_slot] =3D=3D physmap[map_slot + 1]) 624 continue; 625=20 626 if (physmap[map_slot] <=3D pa && 627 physmap[map_slot + 1] > pa) 628 break; 629=20 630 phys_avail[avail_slot] =3D physmap[map_slot]; 631 phys_avail[avail_slot + 1] =3D physmap[map_slot + 1]; 632 physmem +=3D (phys_avail[avail_slot + 1] - 633 phys_avail[avail_slot]) >> PAGE_SHIFT; 634 avail_slot +=3D 2; 635 } 636=20 637 /* Add the memory before the kernel */ 638 if (physmap[avail_slot] < pa) { 639 phys_avail[avail_slot] =3D physmap[map_slot]; 640 phys_avail[avail_slot + 1] =3D pa; 641 physmem +=3D (phys_avail[avail_slot + 1] - 642 phys_avail[avail_slot]) >> PAGE_SHIFT; 643 avail_slot +=3D 2; 644 } ... 737 } avail_slot may bigger or equal than PHYS_AVAIL_SIZE - 2 in loop (line 634). Then, there would be out-of-bounds access for phys_avail array in line 630, 631, 639, 640 and so on. The attachment is the proposal patch for this vulnerability. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231515-227>