]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0b7c202)
runtime: check the correct sanity condition in the page allocator
authorMichael Anthony Knyszek <mknyszek@google.com>
Sat, 28 Mar 2020 16:11:15 +0000 (16:11 +0000)
committerMichael Knyszek <mknyszek@google.com>
Mon, 30 Mar 2020 14:30:38 +0000 (14:30 +0000)
Currently there are a few sanity checks in the page allocator which
should fail immediately but because it's a check for a negative number
on a uint, it's actually dead-code.

If there's a bug in the page allocator which would cause the sanity
check to fail, this could cause memory corruption by returning an
invalid address (more precisely, one might either see a segfault, or
span overlap).

This change fixes these sanity checks to check the correct condition.

Fixes #38130.

Change-Id: Ia19786cece783d39f26df24dec8788833a6a3f21
Reviewed-on: https://go-review.googlesource.com/c/go/+/226297
Reviewed-by: Giovanni Bajo <rasky@develer.com>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
src/runtime/mpagealloc.go patch | blob | history
src/runtime/mpagecache.go patch | blob | history

diff --git a/src/runtime/mpagealloc.go b/src/runtime/mpagealloc.go
index bb751f1f8edff688cdadda7064560fae2042e5ef..60926fbebf891b2d9d8543a82ee22593fdc3f3e8 100644 (file)
--- a/src/runtime/mpagealloc.go
+++ b/src/runtime/mpagealloc.go
@@ -724,7 +724,7 @@ nextLevel:
        // is what the final level represents.
        ci := chunkIdx(i)
        j, searchIdx := s.chunkOf(ci).find(npages, 0)
-       if j < 0 {
+       if j == ^uint(0) {
                // We couldn't find any space in this chunk despite the summaries telling
                // us it should be there. There's likely a bug, so dump some state and throw.
                sum := s.summary[len(s.summary)-1][i]
@@ -766,7 +766,7 @@ func (s *pageAlloc) alloc(npages uintptr) (addr uintptr, scav uintptr) {
                i := chunkIndex(s.searchAddr)
                if max := s.summary[len(s.summary)-1][i].max(); max >= uint(npages) {
                        j, searchIdx := s.chunkOf(i).find(npages, chunkPageIndex(s.searchAddr))
-                       if j < 0 {
+                       if j == ^uint(0) {
                                print("runtime: max = ", max, ", npages = ", npages, "\n")
                                print("runtime: searchIdx = ", chunkPageIndex(s.searchAddr), ", s.searchAddr = ", hex(s.searchAddr), "\n")
                                throw("bad summary data")
diff --git a/src/runtime/mpagecache.go b/src/runtime/mpagecache.go
index 9fc338bd8e4f4ff7791fa337d75e40a4a2dce273..5b679d357d259e628e1df9d647fe11b85e1d5fcb 100644 (file)
--- a/src/runtime/mpagecache.go
+++ b/src/runtime/mpagecache.go
@@ -115,7 +115,7 @@ func (s *pageAlloc) allocToCache() pageCache {
                // Fast path: there's free pages at or near the searchAddr address.
                chunk := s.chunkOf(ci)
                j, _ := chunk.find(1, chunkPageIndex(s.searchAddr))
-               if j < 0 {
+               if j == ^uint(0) {
                        throw("bad summary data")
                }
                c = pageCache{
Go GOST TLS 1.3