i386/4946: incorrect range checking in nkpde calculation

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

i386/4946: incorrect range checking in nkpde calculation

mickey-6
>Number:         4946
>Category:       i386
>Synopsis:       incorrect range checking in nkpde calculation
>Confidential:   yes
>Severity:       critical
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 20 01:10:01 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     [hidden email]
>Release:        -current
>Organization:
net
>Environment:
       
        System      : OpenBSD 3.8
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
        two problems.
        one is range checking that is all opposite and forces any value
        above NKPTP_MIN being forced back to NKPTP_MIN (4 exactly).
        thus zeroed pages allocated for initial kpt are only 4.
        later kpd gets initialised to use "nkpde" entries thus mapping
        uninitialised pages as kptp's causing all kinds of troubles
        depending on the memory contents.
>How-To-Repeat:
        use kernel option NKPTP above minimum
>Fix:
        fix range checking and also store adjusted value back
        for later use in the code.
Index: arch/i386/i386/locore.s
===================================================================
RCS file: /cvs/src/sys/arch/i386/i386/locore.s,v
retrieving revision 1.95
diff -u -r1.95 locore.s
--- arch/i386/i386/locore.s 25 Nov 2005 07:07:49 -0000 1.95
+++ arch/i386/i386/locore.s 15 Dec 2005 12:07:23 -0000
@@ -581,13 +582,14 @@
  */
  movl RELOC(_C_LABEL(nkpde)),%ecx # get nkpde
  cmpl $NKPTP_MIN,%ecx # larger than min?
- jge 1f
+ jl 1f
  movl $NKPTP_MIN,%ecx # set at min
  jmp 2f
 1: cmpl $NKPTP_MAX,%ecx # larger than max?
- jle 2f
+ jge 2f
  movl $NKPTP_MAX,%ecx
 2:
+ movl %ecx,RELOC(_C_LABEL(nkpde)) # and store it back
 
  /* Clear memory for bootstrap tables. */
  shll $PGSHIFT,%ecx


>Release-Note:
>Audit-Trail:
>Unformatted: