x86: Fix integer overflow in pml_for_each()
authorBarret Rhoden <brho@cs.berkeley.edu>
Mon, 28 Nov 2016 03:14:33 +0000 (22:14 -0500)
committerBarret Rhoden <brho@cs.berkeley.edu>
Tue, 29 Nov 2016 16:27:40 +0000 (11:27 -0500)
If kva + pgsize wrapped around and was 0, it'd wrongly be the MIN when
compared to start + len.  We need to subtract the sub_start before
comparing with MIN() to 'undo' the temporary overflow in the size
calculation.

Signed-off-by: Barret Rhoden <brho@cs.berkeley.edu>
kern/arch/x86/pmap64.c

index 5e7949c..ff71d7b 100644 (file)
@@ -328,7 +328,9 @@ static int __pml_for_each(kpte_t *pml,  uintptr_t start, size_t len,
                         * entries, we want the subpmls to process the full range they are
                         * responsible for: [kva, kva + pgsize). */
                        uintptr_t sub_start = MAX(kva, start);
-                       size_t sub_len = MIN(start + len, kva + pgsize) - sub_start;
+                       size_t sub_len = MIN(start + len - sub_start,
+                                            kva + pgsize - sub_start);
+
                        ret = __pml_for_each(kpte2pml(*kpte_i), sub_start, sub_len,
                                             callback, arg, pml_shift - BITS_PER_PML);
                        if (ret)