From 4efc3430a040f033cdda576d1b32a762252afc24 Mon Sep 17 00:00:00 2001 From: Alex Smith Date: Tue, 14 Aug 2012 17:46:09 +0100 Subject: [PATCH] Fixed possible NULL dereference in vm_page_fault. This bug was introduced by changing IS_USER_ADDRESS to check against USER_BASE AND USER_TOP rather than just !IS_KERNEL_ADDRESS. Faults on addresses outside both the user and kernel address spaces (i.e. the gap between user and kernel) would result in addressSpace being NULL, but addressSpace was being used without checking for NULL at one point. --- src/system/kernel/vm/vm.cpp | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/system/kernel/vm/vm.cpp b/src/system/kernel/vm/vm.cpp index 79eeb716e3..1559491fe5 100644 --- a/src/system/kernel/vm/vm.cpp +++ b/src/system/kernel/vm/vm.cpp @@ -4058,11 +4058,13 @@ vm_page_fault(addr_t address, addr_t faultAddress, bool isWrite, bool isUser, } } else { #if 1 - addressSpace->ReadLock(); - // TODO: remove me once we have proper userland debugging support // (and tools) - VMArea* area = addressSpace->LookupArea(faultAddress); + VMArea* area = NULL; + if (addressSpace != NULL) { + addressSpace->ReadLock(); + area = addressSpace->LookupArea(faultAddress); + } Thread* thread = thread_get_current_thread(); dprintf("vm_page_fault: thread \"%s\" (%" B_PRId32 ") in team " @@ -4127,7 +4129,8 @@ vm_page_fault(addr_t address, addr_t faultAddress, bool isWrite, bool isUser, } # endif // 0 (stack trace) - addressSpace->ReadUnlock(); + if (addressSpace != NULL) + addressSpace->ReadUnlock(); #endif // If the thread has a signal handler for SIGSEGV, we simply