Actions
Bug #10806
closed
mnode_range_setup() makes assumptions about mnodes
Start date:
2019-04-16
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
External Bug:
Updated by John Levon over 4 years ago
SmartOS OS-7644
Some EFI-booted systems do not have a memnode covering pfn 0:
> mem_node_config::print
[
{
exists = 0x1
physbase = 0x10
physmax = 0xc3ffff
},
{
exists = 0x1
physbase = 0xc40000
physmax = 0x183ffff
},
However, mnode_range_setup() presumes that we do, and flies into hyperspace. We need to fix this assumption and instead just qsort() the mnoderange array.
Updated by John Levon over 4 years ago
A little more detailed example from the downstream bug:
[0]> mem_node_config::print
[
{
exists = 0x1
physbase = 0x4000
physmax = 0xc3ffff
},
{
exists = 0x1
physbase = 0xc40000
physmax = 0x183ffff
}...
1393 void
1394 mnode_range_setup(mnoderange_t *mnoderanges)
1395 {
...
1430 /*
1431 * For now do a simple sort of the mnoderanges array to fill in
1432 * the mnr_next fields. Since mindex is expected to be relatively
1433 * small, using a simple O(N^2) algorithm.
1434 */
1435 for (i = 0; i < mindex; i++) {
1436 if (mp[i].mnr_pfnlo == 0) /* find lowest */
1437 break;
1438 }
1439 ASSERT(i < mindex);
1440 last = i;
1441 mtype16m = last;
Since we do not have an mnr_pfnlo == 0 mrange, we end up one past the end of the array, which happens to be within the page stuff, and we end up corrupting memory allocated past the mnoderanges.
Updated by Electric Monk over 4 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
git commit dddac438d5629d72879f2701924b62774cb4eaf0
commit dddac438d5629d72879f2701924b62774cb4eaf0
Author: John Levon <john.levon@joyent.com>
Date: 2019-04-30T15:09:06.000Z
10806 mnode_range_setup() makes assumptions about mnodes
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Toomas Soome <tsoome@me.com>
Approved by: Dan McDonald <danmcd@joyent.com>
Actions