Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Redefine bzimage_exec_context::mem_limit to be the highest permissible
byte, rather than the number of permissible bytes (i.e. subtract one
from the value under the previous definition to get the value under
the new definition).

This avoids integer overflow on 64-bit kernels, where
bzhdr.initrd_addr_max may be 0xffffffffffffffff; under the old
behaviour we set mem_limit equal to initrd_addr_max+1, which meant it
ended up as zero.  Kernel loads would fail with ENOBUFS.
  • Loading branch information
Michael Brown committed Sep 28, 2007
1 parent 14fb6ba commit 56550e4
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions src/arch/i386/image/bzimage.c
Expand Up @@ -141,6 +141,7 @@ static int bzimage_parse_cmdline ( struct image *image,
"terminator '%c'\n", image, *mem );
break;
}
exec_ctx->mem_limit -= 1;
}

return 0;
Expand Down Expand Up @@ -266,7 +267,7 @@ static int bzimage_load_initrds ( struct image *image,
return -ENOBUFS;
}
/* Check that we are within the kernel's range */
if ( ( address + total_len ) > exec_ctx->mem_limit )
if ( ( address + total_len - 1 ) > exec_ctx->mem_limit )
continue;
/* Prepare and verify segment */
if ( ( rc = prep_segment ( phys_to_user ( address ), 0,
Expand Down Expand Up @@ -315,9 +316,9 @@ static int bzimage_exec ( struct image *image ) {
( bzhdr.heap_end_ptr + 0x200 );
exec_ctx.vid_mode = bzhdr.vid_mode;
if ( bzhdr.version >= 0x0203 ) {
exec_ctx.mem_limit = ( bzhdr.initrd_addr_max + 1 );
exec_ctx.mem_limit = bzhdr.initrd_addr_max;
} else {
exec_ctx.mem_limit = ( BZI_INITRD_MAX + 1 );
exec_ctx.mem_limit = BZI_INITRD_MAX;
}

/* Parse command line for bootloader parameters */
Expand Down

0 comments on commit 56550e4

Please sign in to comment.