[Bug 231515] Potential out-of-bounds access in function pmap_bootstrap (sys/riscv/riscv/pmap.c)

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231515

            Bug ID: 231515
           Summary: Potential out-of-bounds access in function
                    pmap_bootstrap (sys/riscv/riscv/pmap.c)
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: yangx92 at hotmail.com

Created attachment 197279
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=197279&action=edit
Patch_for_RISCV_OUT-OF-BOUNDS-ACCESS

There is a potential out-of-bounds access in function pmap_bootstrap
(sys/riscv/riscv/pmap.c).

 563 void
 564 pmap_bootstrap(vm_offset_t l1pt, vm_paddr_t kernstart, vm_size_t kernlen)
 565 {
 566         u_int l1_slot, l2_slot, avail_slot, map_slot, used_map_slot;
 567         uint64_t kern_delta;
 568         pt_entry_t *l2;
 569         vm_offset_t va, freemempos;
 570         vm_offset_t dpcpu, msgbufpv;
 571         vm_paddr_t pa, min_pa, max_pa;
 572         int i;
...
 621         map_slot = avail_slot = 0;
 622         for (; map_slot < (physmap_idx * 2); map_slot += 2) {
 623                 if (physmap[map_slot] == physmap[map_slot + 1])
 624                         continue;
 625 
 626                 if (physmap[map_slot] <= pa &&
 627                     physmap[map_slot + 1] > pa)
 628                         break;
 629 
 630                 phys_avail[avail_slot] = physmap[map_slot];
 631                 phys_avail[avail_slot + 1] = physmap[map_slot + 1];
 632                 physmem += (phys_avail[avail_slot + 1] -
 633                     phys_avail[avail_slot]) >> PAGE_SHIFT;
 634                 avail_slot += 2;
 635         }
 636 
 637         /* Add the memory before the kernel */
 638         if (physmap[avail_slot] < pa) {
 639                 phys_avail[avail_slot] = physmap[map_slot];
 640                 phys_avail[avail_slot + 1] = pa;
 641                 physmem += (phys_avail[avail_slot + 1] -
 642                     phys_avail[avail_slot]) >> PAGE_SHIFT;
 643                 avail_slot += 2;
 644         }
...
 737 }

avail_slot may bigger or equal than PHYS_AVAIL_SIZE - 2 in loop (line 634).
Then, there would be out-of-bounds access for phys_avail array in line 630,
631, 639, 640 and so on.

The attachment is the proposal patch for this vulnerability.

-- 
You are receiving this mail because:
You are the assignee for the bug.