svn commit: r320560 - head/sys/vm
Alan Cox
alc at FreeBSD.org
Sat Jul 1 23:39:51 UTC 2017
Author: alc
Date: Sat Jul 1 23:39:49 2017
New Revision: 320560
URL: https://svnweb.freebsd.org/changeset/base/320560
Log:
Modify vm_map_growstack() to protect itself from the possibility of the
gap entry in the vm map being smaller than the sysctl-derived stack guard
size. Otherwise, the value of max_grow can suffer from overflow, and the
roundup(grow_amount, sgrowsiz) will not be properly capped, resulting in
an assertion failure.
In collaboration with: kib
MFC after: 3 days
Modified:
head/sys/vm/vm_map.c
Modified: head/sys/vm/vm_map.c
==============================================================================
--- head/sys/vm/vm_map.c Sat Jul 1 22:54:52 2017 (r320559)
+++ head/sys/vm/vm_map.c Sat Jul 1 23:39:49 2017 (r320560)
@@ -3685,7 +3685,7 @@ vm_map_growstack(vm_map_t map, vm_offset_t addr, vm_ma
struct vmspace *vm;
struct ucred *cred;
vm_offset_t gap_end, gap_start, grow_start;
- size_t grow_amount, max_grow;
+ size_t grow_amount, guard, max_grow;
rlim_t lmemlim, stacklim, vmemlim;
int rv, rv1;
bool gap_deleted, grow_down, is_procstack;
@@ -3701,6 +3701,7 @@ vm_map_growstack(vm_map_t map, vm_offset_t addr, vm_ma
MPASS(map == &p->p_vmspace->vm_map);
MPASS(!map->system_map);
+ guard = stack_guard_page * PAGE_SIZE;
lmemlim = lim_cur(curthread, RLIMIT_MEMLOCK);
stacklim = lim_cur(curthread, RLIMIT_STACK);
vmemlim = lim_cur(curthread, RLIMIT_VMEM);
@@ -3727,8 +3728,10 @@ retry:
} else {
return (KERN_FAILURE);
}
- max_grow = gap_entry->end - gap_entry->start - stack_guard_page *
- PAGE_SIZE;
+ max_grow = gap_entry->end - gap_entry->start;
+ if (guard > max_grow)
+ return (KERN_NO_SPACE);
+ max_grow -= guard;
if (grow_amount > max_grow)
return (KERN_NO_SPACE);
More information about the svn-src-all
mailing list