vm_map.c: plug several more places which might modify entry->offset

for the GUARD entries protecting stacks gaps. syzkaller: https://syzkaller.appspot.com/bug?extid=c325d6a75e4fd0a68714 Reviewed by: dougm, markj (previous version) Tested by: pho (previous version) Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D41475
2023-08-15 22:05:33 +03:00 · 2023-08-15 22:05:33 +03:00 · c718009884
commit c718009884
parent 2a9021898c
1 changed files with 10 additions and 3 deletions
--- a/sys/vm/vm_map.c
+++ b/sys/vm/vm_map.c
@ -1413,7 +1413,9 @@ vm_map_entry_link(vm_map_t map, vm_map_entry_t entry)
 		KASSERT(entry->end < root->end,
 		    ("%s: clip_start not within entry", __func__));
 		vm_map_splay_findprev(root, &llist);
-		root->offset += entry->end - root->start;
+		if ((root->eflags & (MAP_ENTRY_STACK_GAP_DN |
+		    MAP_ENTRY_STACK_GAP_UP)) == 0)
+			root->offset += entry->end - root->start;
 		root->start = entry->end;
 		max_free_left = vm_map_splay_merge_pred(header, entry, llist);
 		max_free_right = root->max_free = vm_size_max(
@ -1429,7 +1431,9 @@ vm_map_entry_link(vm_map_t map, vm_map_entry_t entry)
 		KASSERT(entry->end == root->end,
 		    ("%s: clip_start not within entry", __func__));
 		vm_map_splay_findnext(root, &rlist);
-		entry->offset += entry->start - root->start;
+		if ((entry->eflags & (MAP_ENTRY_STACK_GAP_DN |
+		    MAP_ENTRY_STACK_GAP_UP)) == 0)
+			entry->offset += entry->start - root->start;
 		root->end = entry->start;
 		max_free_left = root->max_free = vm_size_max(
 		    vm_map_splay_merge_left(header, root, llist),
@ -1463,6 +1467,8 @@ vm_map_entry_unlink(vm_map_t map, vm_map_entry_t entry,
 	vm_map_splay_findnext(root, &rlist);
 	if (op == UNLINK_MERGE_NEXT) {
 		rlist->start = root->start;
+		MPASS((rlist->eflags & (MAP_ENTRY_STACK_GAP_DN |
+		    MAP_ENTRY_STACK_GAP_UP) == 0);
 		rlist->offset = root->offset;
 	}
 	if (llist != header) {
@ -3103,7 +3109,8 @@ vm_map_madvise(
 		    entry = vm_map_entry_succ(entry)) {
 			vm_offset_t useEnd, useStart;

-			if ((entry->eflags & MAP_ENTRY_IS_SUB_MAP) != 0)
+			if ((entry->eflags & (MAP_ENTRY_IS_SUB_MAP |
+			    MAP_ENTRY_GUARD)) != 0)
 				continue;

 			/*