Fix integer overflow and remove unused code in space.cpp

Christian Ehrhardt Christian_Ehrhardt at genua.de
Tue May 3 13:52:16 CEST 2011


Remove unused code:
- Mem_space::reset_dirty() and Space::reset_dirty() are unused. Remove.
- Some Utcb-Area retrival functions are unused and are no longer useful
  as there can be several Ku_mem areas. Remove.
- Space::is_user_memory should probably check for integer overflows or
  the check is not safe when performed with values provided by the user.


diff --git a/src/kernel/fiasco/src/kern/mem_space.cpp b/src/kernel/fiasco/src/kern/mem_space.cpp
index 8ac2cb3..080b881 100644
--- a/src/kernel/fiasco/src/kern/mem_space.cpp
+++ b/src/kernel/fiasco/src/kern/mem_space.cpp
@@ -246,14 +246,6 @@ Mem_space::ram_quota() const
 { return _quota; }
 
 
-/// Avoid deallocation of page table upon Mem_space destruction.
-PUBLIC
-void
-Mem_space::reset_dirty ()
-{
-  _dir = 0;
-}
-
 PUBLIC inline
 Mem_space::Dir_type*
 Mem_space::dir ()
diff --git a/src/kernel/fiasco/src/kern/space.cpp b/src/kernel/fiasco/src/kern/space.cpp
index 91659d2..a709da8 100644
--- a/src/kernel/fiasco/src/kern/space.cpp
+++ b/src/kernel/fiasco/src/kern/space.cpp
@@ -150,42 +150,6 @@ IMPLEMENTATION:
 // class Space
 //
 
-
-
-/**
- * UTCB area functions.
- */
-//@{
-
-
-/**
- * Get size of UTCB area in bytes.
- *
- * @return the size of the UTCB area in bytes.
- */
-PUBLIC inline
-unsigned long
-Space::utcb_area_size() const
-{ return _ku_mem->size; }
-
-PUBLIC inline
-Address
-Space::kern_utcb_area() const
-{ return (Address)_ku_mem->k_addr; }
-
-/**
- * Get the start of the UTCB area in the user address-space.
- *
- * @return the start address of the UTCB area in trhe user address-space.
- */
-PUBLIC inline
-Address
-Space::user_utcb_area() const
-{ return (Address)_ku_mem->u_addr.get(); }
-
-
-//@}
-
 PUBLIC
 Space::Ku_mem const *
 Space::find_ku_mem(User<void>::Ptr p, unsigned size)
@@ -193,6 +157,9 @@ Space::find_ku_mem(User<void>::Ptr p, unsigned size)
   if ((Address)p.get() & (sizeof(double) - 1))
     return 0;
 
+  /* Check for integer overflows! */
+  if ((Address)p.get() > (Address)((Address)p.get() + size))
+    return 0;
   for (Ku_mem const *f = _ku_mem; f; f = f->next)
     {
       Address a = (Address)f->u_addr.get();
@@ -244,13 +211,6 @@ Ram_quota *
 Space::ram_quota() const
 { return _mem_space.get()->ram_quota(); }
 
-PROTECTED
-void
-Space::reset_dirty()
-{
-  _mem_space.get()->reset_dirty();
-}
-
 
 PUBLIC inline
 void
@@ -289,6 +249,7 @@ bool
 Space::is_user_memory(Address address, Mword len)
 {
   return    address < Mem_layout::User_max
+         && address <= address + len /* Check for integer overflows */
          && address + len <= Mem_layout::User_max;
 }
 




More information about the l4-hackers mailing list