From f01a883971c1a4fc76ed15fdaa0e112950f712d6 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Tue, 17 Jul 2018 18:53:32 +0900 Subject: [PATCH] devobj: fix out of bounds shift Similarily, pgoff << PAGE_SHIFT would need pgoff to be unsigned to fit, but off_t is signed. The reason for this shift was to truncate the offset argument to be aligned to page boundaries, do that instead Change-Id: I36c3de34b1834fdb0503942a6f3212e94986effd --- kernel/devobj.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/devobj.c b/kernel/devobj.c index 2b0b7b4a..8b3e5e6f 100644 --- a/kernel/devobj.c +++ b/kernel/devobj.c @@ -149,7 +149,7 @@ int devobj_create(int fd, size_t len, off_t off, struct memobj **objp, int *maxp } obj->ref = 1; - obj->pfn_pgoff = off / PAGE_SIZE; + obj->pfn_pgoff = off >> PAGE_SHIFT; obj->npages = npages; ihk_mc_spinlock_init(&obj->memobj.lock); @@ -244,7 +244,7 @@ static void devobj_release(struct memobj *memobj) static int devobj_get_page(struct memobj *memobj, off_t off, int p2align, uintptr_t *physp, unsigned long *flag, uintptr_t virt_addr) { - const off_t pgoff = off / PAGE_SIZE; + const off_t pgoff = off >> PAGE_SHIFT; struct devobj *obj = to_devobj(memobj); int error; uintptr_t pfn; @@ -272,7 +272,7 @@ static int devobj_get_page(struct memobj *memobj, off_t off, int p2align, uintpt ihk_mc_syscall_arg0(&ctx) = PAGER_REQ_PFN; ihk_mc_syscall_arg1(&ctx) = obj->handle; - ihk_mc_syscall_arg2(&ctx) = pgoff << PAGE_SHIFT; + ihk_mc_syscall_arg2(&ctx) = off & ~(PAGE_SIZE - 1); ihk_mc_syscall_arg3(&ctx) = virt_to_phys(&pfn); error = syscall_generic_forwarding(__NR_mmap, &ctx);