diff options
| author | alfred <alfred@FreeBSD.org> | 2000-11-07 18:31:16 +0000 |
|---|---|---|
| committer | alfred <alfred@FreeBSD.org> | 2000-11-07 18:31:16 +0000 |
| commit | 3e03c96525821f636a2426b887118bfb69f398a7 (patch) | |
| tree | 69c423f2555741b2cc8c574f8e7c75673a02026c | |
| parent | 263a923eb9084f80f0266721a8d759791ae574db (diff) | |
| download | FreeBSD-src-3e03c96525821f636a2426b887118bfb69f398a7.zip FreeBSD-src-3e03c96525821f636a2426b887118bfb69f398a7.tar.gz | |
Protect against an infinite loop when prefaulting pages. This can
happen when the vm system maps past the end of an object or tries
to map a zero length object, the pmap layer misses the fact that
offsets wrap into negative numbers and we get stuck.
Found by: Joost Pol aka Nohican <nohican@marcella.niets.org>
Submitted by: tegge
| -rw-r--r-- | sys/amd64/amd64/pmap.c | 5 | ||||
| -rw-r--r-- | sys/i386/i386/pmap.c | 5 |
2 files changed, 8 insertions, 2 deletions
diff --git a/sys/amd64/amd64/pmap.c b/sys/amd64/amd64/pmap.c index 3d8bbb2..4aefc1c 100644 --- a/sys/amd64/amd64/pmap.c +++ b/sys/amd64/amd64/pmap.c @@ -2337,8 +2337,11 @@ retry: return; } - if (psize + pindex > object->size) + if (psize + pindex > object->size) { + if (object->size < pindex) + return; psize = object->size - pindex; + } mpte = NULL; /* diff --git a/sys/i386/i386/pmap.c b/sys/i386/i386/pmap.c index 3d8bbb2..4aefc1c 100644 --- a/sys/i386/i386/pmap.c +++ b/sys/i386/i386/pmap.c @@ -2337,8 +2337,11 @@ retry: return; } - if (psize + pindex > object->size) + if (psize + pindex > object->size) { + if (object->size < pindex) + return; psize = object->size - pindex; + } mpte = NULL; /* |
