Date: Fri, 2 Dec 2016 19:02:13 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r309426 - in stable: 10/sys/amd64/amd64 10/sys/amd64/include 10/sys/i386/i386 10/sys/i386/include 11/sys/amd64/amd64 11/sys/i386/i386 11/sys/x86/include Message-ID: <201612021902.uB2J2Dn0070366@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhb Date: Fri Dec 2 19:02:12 2016 New Revision: 309426 URL: https://svnweb.freebsd.org/changeset/base/309426 Log: MFC 303753,308004: Add bounds checking on addresses used with /dev/mem. 303753: Don't permit mappings of invalid physical addresses on amd64 via /dev/mem. 308004: MFamd64: Add bounds checks on addresses used with /dev/mem. Reject attempts to read from or memory map offsets in /dev/mem that are beyond the maximum-supported physical address of the current CPU. Modified: stable/11/sys/amd64/amd64/mem.c stable/11/sys/i386/i386/mem.c stable/11/sys/x86/include/x86_var.h Directory Properties: stable/11/ (props changed) Changes in other areas also in this revision: Modified: stable/10/sys/amd64/amd64/mem.c stable/10/sys/amd64/include/md_var.h stable/10/sys/i386/i386/mem.c stable/10/sys/i386/include/md_var.h Directory Properties: stable/10/ (props changed) Modified: stable/11/sys/amd64/amd64/mem.c ============================================================================== --- stable/11/sys/amd64/amd64/mem.c Fri Dec 2 18:03:15 2016 (r309425) +++ stable/11/sys/amd64/amd64/mem.c Fri Dec 2 19:02:12 2016 (r309426) @@ -140,7 +140,7 @@ memrw(struct cdev *dev, struct uio *uio, error = uiomove((void *)vd, c, uio); break; } - if (v >= (1ULL << cpu_maxphyaddr)) { + if (v > cpu_getmaxphyaddr()) { error = EFAULT; break; } @@ -168,9 +168,11 @@ int memmmap(struct cdev *dev, vm_ooffset_t offset, vm_paddr_t *paddr, int prot __unused, vm_memattr_t *memattr __unused) { - if (dev2unit(dev) == CDEV_MINOR_MEM) + if (dev2unit(dev) == CDEV_MINOR_MEM) { + if (offset > cpu_getmaxphyaddr()) + return (-1); *paddr = offset; - else if (dev2unit(dev) == CDEV_MINOR_KMEM) + } else if (dev2unit(dev) == CDEV_MINOR_KMEM) *paddr = vtophys(offset); /* else panic! */ return (0); Modified: stable/11/sys/i386/i386/mem.c ============================================================================== --- stable/11/sys/i386/i386/mem.c Fri Dec 2 18:03:15 2016 (r309425) +++ stable/11/sys/i386/i386/mem.c Fri Dec 2 19:02:12 2016 (r309426) @@ -108,8 +108,11 @@ memrw(struct cdev *dev, struct uio *uio, continue; } if (dev2unit(dev) == CDEV_MINOR_MEM) { - pa = uio->uio_offset; - pa &= ~PAGE_MASK; + if (uio->uio_offset > cpu_getmaxphyaddr()) { + error = EFAULT; + break; + } + pa = trunc_page(uio->uio_offset); } else { /* * Extract the physical page since the mapping may @@ -161,9 +164,11 @@ int memmmap(struct cdev *dev, vm_ooffset_t offset, vm_paddr_t *paddr, int prot __unused, vm_memattr_t *memattr __unused) { - if (dev2unit(dev) == CDEV_MINOR_MEM) + if (dev2unit(dev) == CDEV_MINOR_MEM) { + if (offset > cpu_getmaxphyaddr()) + return (-1); *paddr = offset; - else if (dev2unit(dev) == CDEV_MINOR_KMEM) + } else if (dev2unit(dev) == CDEV_MINOR_KMEM) *paddr = vtophys(offset); /* else panic! */ return (0); Modified: stable/11/sys/x86/include/x86_var.h ============================================================================== --- stable/11/sys/x86/include/x86_var.h Fri Dec 2 18:03:15 2016 (r309425) +++ stable/11/sys/x86/include/x86_var.h Fri Dec 2 19:02:12 2016 (r309426) @@ -94,6 +94,20 @@ struct trapframe; */ typedef void alias_for_inthand_t(void); +/* + * Returns the maximum physical address that can be used with the + * current system. + */ +static __inline vm_paddr_t +cpu_getmaxphyaddr(void) +{ +#if defined(__i386__) && !defined(PAE) + return (0xffffffff); +#else + return ((1ULL << cpu_maxphyaddr) - 1); +#endif +} + void *alloc_fpusave(int flags); void busdma_swi(void); bool cpu_mwait_usable(void);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612021902.uB2J2Dn0070366>