RE: git: 8d4464377219 - stable/14 - vm_page: Fix loading bad memory addresses from file

Reply: Romain Tarti�re : "Re: git: 8d4464377219 - stable/14 - vm_page: Fix loading bad memory addresses from file"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Mark Millard <marklmi_at_yahoo.com>
Date: Sat, 02 Aug 2025 06:39:09 UTC

Romain Tartière <romain_at_FreeBSD.org> wrote on
Date: Sat, 02 Aug 2025 05:31:12 UTC :

> Romain Tartière <romain_at_FreeBSD.org>
> Date: Sat, 02 Aug 2025 05:31:12 UTC
> The branch stable/14 has been updated by romain:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=8d4464377219dcf45e87510b73767c9ec3515bc2
> 
> commit 8d4464377219dcf45e87510b73767c9ec3515bc2
> Author:     Romain Tartière <romain@FreeBSD.org>
> AuthorDate: 2025-07-25 18:31:57 +0000
> Commit:     Romain Tartière <romain@FreeBSD.org>
> CommitDate: 2025-08-02 05:30:18 +0000
> 
>     vm_page: Fix loading bad memory addresses from file
>     
>     When loading bad memory addresses from a file, we are passed an end
>     pointer that points on the first byte after the buffer. We want the
>     buffer to be null-terminated (by changing the last byte to \0 if it is
>     reasonable to do so), so adjust the end pointer to be on that byte.
>     
>     Approved by:    kib, markj
>     MFC after:      1 week
>     Differential Revision:  https://reviews.freebsd.org/D51433
>     
>     (cherry picked from commit 202f8bde836dc86627be2b5b98174d9a0fb2eaba)
> ---
>  sys/vm/vm_page.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sys/vm/vm_page.c b/sys/vm/vm_page.c
> index ac922f4a3bc8..f013cbc84c25 100644
> --- a/sys/vm/vm_page.c
> +++ b/sys/vm/vm_page.c
> @@ -393,7 +393,7 @@ vm_page_blacklist_load(char **list, char **end)
>          }
>  	*list = ptr;
>  	if (ptr != NULL)
> -		*end = ptr + len;
> +		*end = ptr + len - 1;

This looks wrong to me if/when len==0 is possible.

It looks possible, see below.

>  	else
>  		*end = NULL;
>  	return;
>   return;

More context, original code(from main):

. . .
        mod = preload_search_by_type("ram_blacklist");
        if (mod != NULL) {
                ptr = preload_fetch_addr(mod);
                len = preload_fetch_size(mod);
        }
        *list = ptr;
        if (ptr != NULL)
                *end = ptr + len;
        else
                *end = NULL;
        return;
. . .

But in /usr/src/sys/kern/subr_module.c :

size_t
preload_fetch_size(caddr_t mod)
{
        size_t *mdp;

        mdp = (size_t *)preload_search_info(mod, MODINFO_SIZE);
        if (mdp == NULL)
                return (0);
        return (*mdp);
}

Note the "return (0);" (possibly *mdp==0 as well when mdp!=0 ?).

Then, for that return, showing the substitution:

+ *end = ptr + 0 - 1;

Simplifying for the specific case:

+ *end = ptr - 1;

That looks likely to be wrong to me.


===
Mark Millard
marklmi at yahoo.com