From 5efaeee40c9e7790e57bcf90642f66a15c111334 Mon Sep 17 00:00:00 2001
From: Kingwel Xie <kingwel.xie@ericsson.com>
Date: Sat, 10 Nov 2018 02:56:00 -0500
Subject: [PATCH] pmalloc: u32 pp->index leads to va address overrun

when pagesize is 1G, this pm->base + (pp->index << pm->def_log2_page_sz) would very soon overrun if creating multiple mempools
add a (uword) to it

Change-Id: If769b99d344cc3f547418a242a7497d044071615
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
---
 src/vppinfra/pmalloc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/vppinfra/pmalloc.c b/src/vppinfra/pmalloc.c
index 62b4f60c2eb..e11d27ef77b 100644
--- a/src/vppinfra/pmalloc.c
+++ b/src/vppinfra/pmalloc.c
@@ -359,6 +359,7 @@ pmalloc_map_pages (clib_pmalloc_main_t * pm, clib_pmalloc_arena_t * a,
       pp->n_free_blocks = 1 << (pm->def_log2_page_sz - PMALLOC_LOG2_BLOCK_SZ);
       pp->index = pp - pm->pages;
       pp->arena_index = a->index;
+      pp->pa = (uword) va + (1 << pm->def_log2_page_sz) * i;
       vec_add1 (a->page_indices, pp->index);
       a->n_pages++;
     }
@@ -428,7 +429,7 @@ clib_pmalloc_create_shared_arena (clib_pmalloc_main_t * pm, char *name,
       return 0;
     }
 
-  return pm->base + (pp->index << pm->def_log2_page_sz);
+  return pm->base + ((uword) pp->index << pm->def_log2_page_sz);
 }
 
 static inline void *
-- 
2.16.6