From 201f03b8e71e30ee471f74b0e511146a99b77a91 Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Sat, 1 Jul 2017 23:39:49 +0000 Subject: [PATCH] Modify vm_map_growstack() to protect itself from the possibility of the gap entry in the vm map being smaller than the sysctl-derived stack guard size. Otherwise, the value of max_grow can suffer from overflow, and the roundup(grow_amount, sgrowsiz) will not be properly capped, resulting in an assertion failure. In collaboration with: kib MFC after: 3 days --- sys/vm/vm_map.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index 114e4b34a904..0a99ddde486f 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -3685,7 +3685,7 @@ vm_map_growstack(vm_map_t map, vm_offset_t addr, vm_map_entry_t gap_entry) struct vmspace *vm; struct ucred *cred; vm_offset_t gap_end, gap_start, grow_start; - size_t grow_amount, max_grow; + size_t grow_amount, guard, max_grow; rlim_t lmemlim, stacklim, vmemlim; int rv, rv1; bool gap_deleted, grow_down, is_procstack; @@ -3701,6 +3701,7 @@ vm_map_growstack(vm_map_t map, vm_offset_t addr, vm_map_entry_t gap_entry) MPASS(map == &p->p_vmspace->vm_map); MPASS(!map->system_map); + guard = stack_guard_page * PAGE_SIZE; lmemlim = lim_cur(curthread, RLIMIT_MEMLOCK); stacklim = lim_cur(curthread, RLIMIT_STACK); vmemlim = lim_cur(curthread, RLIMIT_VMEM); @@ -3727,8 +3728,10 @@ retry: } else { return (KERN_FAILURE); } - max_grow = gap_entry->end - gap_entry->start - stack_guard_page * - PAGE_SIZE; + max_grow = gap_entry->end - gap_entry->start; + if (guard > max_grow) + return (KERN_NO_SPACE); + max_grow -= guard; if (grow_amount > max_grow) return (KERN_NO_SPACE);