NetBSD Problem Report #29507

From www@netbsd.org  Tue Feb 22 20:27:41 2005
Return-Path: <www@netbsd.org>
Received: by narn.netbsd.org (Postfix, from userid 31301)
	id A4EE463B400; Tue, 22 Feb 2005 20:27:41 +0000 (UTC)
Message-Id: <20050222202741.A4EE463B400@narn.netbsd.org>
Date: Tue, 22 Feb 2005 20:27:41 +0000 (UTC)
From: nludban@terabeam.com
Reply-To: nludban@terabeam.com
To: gnats-bugs@netbsd.org
Subject: pmap_extract() dereferencing NULL pointer
X-Send-Pr-Version: www-1.0

>Number:         29507
>Category:       port-powerpc
>Synopsis:       pmap_extract() dereferencing NULL pointer
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    briggs
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 22 20:28:00 +0000 2005
>Closed-Date:    Tue Feb 22 21:07:53 +0000 2005
>Last-Modified:  Sun Aug 07 14:36:00 +0000 2005
>Originator:     Neil Ludban
>Release:        2.99.15
>Organization:
>Environment:
powerpc (private port to MPC8272)
>Description:
In uvm_fault(), a NULL pointer is passed to pmap_extract():

		/*
		 * dont play with VAs that are already mapped
		 * except for center)
		 */
		if (lcv != centeridx &&
		    pmap_extract(ufi.orig_map->pmap, currva, NULL)) {
			pages[lcv] = PGO_DONTCARE;
			continue;
		}

The implementation in arch/powerpc/oea/pmap.c uses this value
without checking if it's NULL.

>How-To-Repeat:

>Fix:
(Patch against $NetBSD: pmap.c,v 1.27 2005/01/16 23:52:12 chs Exp $)

Index: arch/powerpc/oea/pmap.c
===================================================================
RCS file: /usr/cvsroot/src/sys/arch/powerpc/oea/pmap.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 pmap.c
--- arch/powerpc/oea/pmap.c     2005/02/10 19:21:21     1.1.1.2
+++ arch/powerpc/oea/pmap.c     2005/02/22 19:56:49
@@ -2030,7 +2030,8 @@
                                    battable[va >> ADDR_SR_SHFT].batl;
                                register_t mask =
                                    (~(batu & BAT_BL) << 15) & ~0x1ffffL;
-                               *pap = (batl & mask) | (va & ~mask);
+                               if (pap != NULL)
+                                       *pap = (batl & mask) | (va & ~mask);
                                return TRUE;
                        }
                } else {
@@ -2041,11 +2042,13 @@
                            BAT601_VA_MATCH_P(batu, batl, va)) {
                                register_t mask =
                                    (~(batl & BAT601_BSM) << 17) & ~0x1ffffL;
-                               *pap = (batl & mask) | (va & ~mask);
+                               if (pap != NULL)
+                                       *pap = (batl & mask) | (va & ~mask);
                                return TRUE;
                        } else if (SR601_VALID_P(sr) &&
                                   SR601_PA_MATCH_P(sr, va)) {
-                               *pap = va;
+                               if (pap != NULL)
+                                       *pap = va;
                                return TRUE;
                        }
                }
@@ -2056,7 +2059,9 @@
        pvo = pmap_pvo_find_va(pm, va & ~ADDR_POFF, NULL);
        if (pvo != NULL) {
                PMAP_PVO_CHECK(pvo);            /* sanity check */
-               *pap = (pvo->pvo_pte.pte_lo & PTE_RPGN) | (va & ADDR_POFF);
+               if (pap != NULL)
+                       *pap = ((pvo->pvo_pte.pte_lo & PTE_RPGN)
+                               | (va & ADDR_POFF));
        }
        pmap_interrupts_restore(msr);
        return pvo != NULL;

>Release-Note:

>Audit-Trail:
From: Allen Briggs <briggs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: PR/29507 CVS commit: src/sys/arch/powerpc/oea
Date: Tue, 22 Feb 2005 21:06:56 +0000 (UTC)

 Module Name:	src
 Committed By:	briggs
 Date:		Tue Feb 22 21:06:56 UTC 2005

 Modified Files:
 	src/sys/arch/powerpc/oea: pmap.c

 Log Message:
 pmap_extract(): Only attempt to set '*pap' if pap is non-NULL.
 PR port-powerpc/29507 from Neil Ludban.


 To generate a diff of this commit:
 cvs rdiff -r1.28 -r1.29 src/sys/arch/powerpc/oea/pmap.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

Responsible-Changed-From-To: port-powerpc-maintainer->briggs
Responsible-Changed-By: briggs@netbsd.org
Responsible-Changed-When: Tue, 22 Feb 2005 21:07:53 +0000
Responsible-Changed-Why:
I did it.


State-Changed-From-To: open->closed
State-Changed-By: briggs@netbsd.org
State-Changed-When: Tue, 22 Feb 2005 21:07:53 +0000
State-Changed-Why:
Modified as suggested.  Revision 1.29 of oea/pmap.c.


From: Jeff Rizzo <riz@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: PR/29507 CVS commit: [netbsd-2] src/sys/arch/powerpc/oea
Date: Sun,  7 Aug 2005 14:35:06 +0000 (UTC)

 Module Name:	src
 Committed By:	riz
 Date:		Sun Aug  7 14:35:06 UTC 2005

 Modified Files:
 	src/sys/arch/powerpc/oea [netbsd-2]: pmap.c

 Log Message:
 Pull up revisions 1.23 and 1.29 (requested by briggs in ticket #1238):
 Consider the MPC601's different battable layout and its use of
 I/O segments.
 Ensure that pap is non-NULL before use in pmap_extract(). Fixes PR#29507.


 To generate a diff of this commit:
 cvs rdiff -r1.23.2.1 -r1.23.2.1.2.1 src/sys/arch/powerpc/oea/pmap.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:
Home
PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.