pmalloc: u32 pp->index leads to va address overrun

[vpp.git] / src / vppinfra / pmalloc.c

diff --git a/src/vppinfra/pmalloc.c b/src/vppinfra/pmalloc.c
index 98e3369..e11d27e 100644 (file)
--- a/src/vppinfra/pmalloc.c
+++ b/src/vppinfra/pmalloc.c
@@ -101,7 +101,7 @@ clib_pmalloc_init (clib_pmalloc_main_t * pm, uword size)
       pm->base += off;
     }
 
-  munmap (pm->base + (pm->max_pages * pagesize), pagesize - off);
+  munmap (pm->base + ((uword) pm->max_pages * pagesize), pagesize - off);
   return 0;
 }
 
@@ -215,7 +215,7 @@ pmalloc_update_lookup_table (clib_pmalloc_main_t * pm, u32 first, u32 count)
   p = first * elts_per_page;
   if (pm->flags & CLIB_PMALLOC_F_NO_PAGEMAP)
     {
-      while (p < elts_per_page * count)
+      while (p < (uword) elts_per_page * count)
        {
          pm->lookup_table[p] = pointer_to_uword (pm->base) +
            (p << pm->lookup_log2_page_sz);
@@ -225,9 +225,10 @@ pmalloc_update_lookup_table (clib_pmalloc_main_t * pm, u32 first, u32 count)
     }
 
   fd = open ((char *) "/proc/self/pagemap", O_RDONLY);
-  while (p < elts_per_page * count)
+  while (p < (uword) elts_per_page * count)
     {
       va = pointer_to_uword (pm->base) + (p << pm->lookup_log2_page_sz);
+      pa = 0;
       seek = (va >> pm->sys_log2_page_sz) * sizeof (pa);
       if (fd != -1 && lseek (fd, seek, SEEK_SET) == seek &&
          read (fd, &pa, sizeof (pa)) == (sizeof (pa)) &&
@@ -289,7 +290,7 @@ pmalloc_map_pages (clib_pmalloc_main_t * pm, clib_pmalloc_arena_t * a,
       return 0;
     }
 
-  mmap_flags = MAP_FIXED | MAP_ANONYMOUS;
+  mmap_flags = MAP_FIXED;
 
   if ((pm->flags & CLIB_PMALLOC_F_NO_PAGEMAP) == 0)
     mmap_flags |= MAP_LOCKED;
@@ -306,10 +307,12 @@ pmalloc_map_pages (clib_pmalloc_main_t * pm, clib_pmalloc_arena_t * a,
        pm->error = clib_mem_create_fd ((char *) a->name, &a->fd);
       if (a->fd == -1)
        goto error;
+      if ((ftruncate (a->fd, size)) == -1)
+       goto error;
     }
   else
     {
-      mmap_flags |= MAP_PRIVATE;
+      mmap_flags |= MAP_PRIVATE | MAP_ANONYMOUS;
       a->fd = -1;
     }
 
@@ -356,6 +359,7 @@ pmalloc_map_pages (clib_pmalloc_main_t * pm, clib_pmalloc_arena_t * a,
       pp->n_free_blocks = 1 << (pm->def_log2_page_sz - PMALLOC_LOG2_BLOCK_SZ);
       pp->index = pp - pm->pages;
       pp->arena_index = a->index;
+      pp->pa = (uword) va + (1 << pm->def_log2_page_sz) * i;
       vec_add1 (a->page_indices, pp->index);
       a->n_pages++;
     }
@@ -425,7 +429,7 @@ clib_pmalloc_create_shared_arena (clib_pmalloc_main_t * pm, char *name,
       return 0;
     }
 
-  return pm->base + (pp->index << pm->def_log2_page_sz);
+  return pm->base + ((uword) pp->index << pm->def_log2_page_sz);
 }
 
 static inline void *
@@ -684,6 +688,27 @@ format_pmalloc (u8 * s, va_list * va)
   return s;
 }
 
+u8 *
+format_pmalloc_map (u8 * s, va_list * va)
+{
+  clib_pmalloc_main_t *pm = va_arg (*va, clib_pmalloc_main_t *);
+
+  u32 index;
+  s = format (s, "%16s %13s %8s", "virtual-addr", "physical-addr", "size");
+  vec_foreach_index (index, pm->lookup_table)
+  {
+    uword *lookup_val, pa, va;
+    lookup_val = vec_elt_at_index (pm->lookup_table, index);
+    va = pointer_to_uword (pm->base) + (index << pm->lookup_log2_page_sz);
+    pa = va - *lookup_val;
+    s =
+      format (s, "\n %16p %13p %8U", uword_to_pointer (va, u64),
+             uword_to_pointer (pa, u64), format_log2_page_size,
+             pm->lookup_log2_page_sz);
+  }
+  return s;
+}
+
 /*
  * fd.io coding-style-patch-verification: ON
  *