diff options
| author | Olivier Certner <olce@FreeBSD.org> | 2024-10-28 16:22:28 +0000 |
|---|---|---|
| committer | Olivier Certner <olce@FreeBSD.org> | 2025-02-19 14:13:27 +0000 |
| commit | 291b7bf071e8b50f2b7877213b2d3307ae5d3e38 (patch) | |
| tree | fdc8fe631556dbbb220d5099d2decdde859809ae | |
| parent | 8a14ddcc1d8e4384d8ad77c5536c916c6e9a7d65 (diff) | |
vm_phys_avail_count(): Fix out-of-bounds accesses
On improper termination of phys_avail[] (two consecutive 0 starting at
an even index), this function would (unnecessarily) continue searching
for the termination markers even if the index was out of bounds.
Reviewed by: markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48629
| -rw-r--r-- | sys/vm/vm_phys.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/sys/vm/vm_phys.c b/sys/vm/vm_phys.c index 3b3b3cb16bb9..e2b5a6e21365 100644 --- a/sys/vm/vm_phys.c +++ b/sys/vm/vm_phys.c @@ -1782,12 +1782,10 @@ vm_phys_avail_count(void) { int i; - for (i = 0; phys_avail[i + 1]; i += 2) - continue; - if (i > PHYS_AVAIL_ENTRIES) - panic("Improperly terminated phys_avail %d entries", i); - - return (i); + for (i = 0; i < PHYS_AVAIL_COUNT; i += 2) + if (phys_avail[i] == 0 && phys_avail[i + 1] == 0) + return (i); + panic("Improperly terminated phys_avail[]"); } /* |