diff options
| author | Gleb Smirnoff <glebius@FreeBSD.org> | 2016-12-06 18:50:44 +0000 |
|---|---|---|
| committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2016-12-06 18:50:44 +0000 |
| commit | edc816d625f5f16b8d9fc7cfb5f2d5d75c9afe36 (patch) | |
| tree | bd52aaf6c8d1824fc1f06c59c0f1f9224ff63efd /lib | |
| parent | 74e540d788e37d312722a2a270a2478f58f2d787 (diff) | |
| download | src-edc816d625f5f16b8d9fc7cfb5f2d5d75c9afe36.tar.gz src-edc816d625f5f16b8d9fc7cfb5f2d5d75c9afe36.zip | |
Fix possible integer overflow in guest memory bounds checking, which could
lead to access from the virtual machine to the heap of the bhyve(8) process.
Submitted by: Felix Wilhelm <fwilhelm ernw.de>
Patch by: grehan
Security: FreeBSD-SA-16:38.bhyve
Notes
Notes:
svn path=/head/; revision=309640
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libvmmapi/vmmapi.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/lib/libvmmapi/vmmapi.c b/lib/libvmmapi/vmmapi.c index 3a6f210e805d..8a4e3aec1046 100644 --- a/lib/libvmmapi/vmmapi.c +++ b/lib/libvmmapi/vmmapi.c @@ -426,13 +426,18 @@ vm_map_gpa(struct vmctx *ctx, vm_paddr_t gaddr, size_t len) { if (ctx->lowmem > 0) { - if (gaddr < ctx->lowmem && gaddr + len <= ctx->lowmem) + if (gaddr < ctx->lowmem && len <= ctx->lowmem && + gaddr + len <= ctx->lowmem) return (ctx->baseaddr + gaddr); } if (ctx->highmem > 0) { - if (gaddr >= 4*GB && gaddr + len <= 4*GB + ctx->highmem) - return (ctx->baseaddr + gaddr); + if (gaddr >= 4*GB) { + if (gaddr < 4*GB + ctx->highmem && + len <= ctx->highmem && + gaddr + len <= 4*GB + ctx->highmem) + return (ctx->baseaddr + gaddr); + } } return (NULL); |