added 1 changeset to branch 'refs/remotes/xyzzy-github/x86_64' old head: a53cfbf4911ef182672f5a37779a047cfa971221 new head: 4efc3430a040f033cdda576d1b32a762252afc24 ---------------------------------------------------------------------------- 4efc343: Fixed possible NULL dereference in vm_page_fault. This bug was introduced by changing IS_USER_ADDRESS to check against USER_BASE AND USER_TOP rather than just !IS_KERNEL_ADDRESS. Faults on addresses outside both the user and kernel address spaces (i.e. the gap between user and kernel) would result in addressSpace being NULL, but addressSpace was being used without checking for NULL at one point. [ Alex Smith <alex@xxxxxxxxxxxxxxxx> ] ---------------------------------------------------------------------------- Commit: 4efc3430a040f033cdda576d1b32a762252afc24 Author: Alex Smith <alex@xxxxxxxxxxxxxxxx> Date: Tue Aug 14 16:46:09 2012 UTC ---------------------------------------------------------------------------- 1 file changed, 7 insertions(+), 4 deletions(-) src/system/kernel/vm/vm.cpp | 11 +++++++---- ---------------------------------------------------------------------------- diff --git a/src/system/kernel/vm/vm.cpp b/src/system/kernel/vm/vm.cpp index 79eeb71..1559491 100644 --- a/src/system/kernel/vm/vm.cpp +++ b/src/system/kernel/vm/vm.cpp @@ -4058,11 +4058,13 @@ vm_page_fault(addr_t address, addr_t faultAddress, bool isWrite, bool isUser, } } else { #if 1 - addressSpace->ReadLock(); - // TODO: remove me once we have proper userland debugging support // (and tools) - VMArea* area = addressSpace->LookupArea(faultAddress); + VMArea* area = NULL; + if (addressSpace != NULL) { + addressSpace->ReadLock(); + area = addressSpace->LookupArea(faultAddress); + } Thread* thread = thread_get_current_thread(); dprintf("vm_page_fault: thread \"%s\" (%" B_PRId32 ") in team " @@ -4127,7 +4129,8 @@ vm_page_fault(addr_t address, addr_t faultAddress, bool isWrite, bool isUser, } # endif // 0 (stack trace) - addressSpace->ReadUnlock(); + if (addressSpace != NULL) + addressSpace->ReadUnlock(); #endif // If the thread has a signal handler for SIGSEGV, we simply