Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Dec 2016 18:50:44 +0000 (UTC)
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r309640 - head/lib/libvmmapi
Message-ID:  <201612061850.uB6IojX6017320@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: glebius
Date: Tue Dec  6 18:50:44 2016
New Revision: 309640
URL: https://svnweb.freebsd.org/changeset/base/309640

Log:
  Fix possible integer overflow in guest memory bounds checking, which could
  lead to access from the virtual machine to the heap of the bhyve(8) process.
  
  Submitted by:	Felix Wilhelm <fwilhelm ernw.de>
  Patch by:	grehan
  Security:	FreeBSD-SA-16:38.bhyve

Modified:
  head/lib/libvmmapi/vmmapi.c

Modified: head/lib/libvmmapi/vmmapi.c
==============================================================================
--- head/lib/libvmmapi/vmmapi.c	Tue Dec  6 18:50:33 2016	(r309639)
+++ head/lib/libvmmapi/vmmapi.c	Tue Dec  6 18:50:44 2016	(r309640)
@@ -426,13 +426,18 @@ vm_map_gpa(struct vmctx *ctx, vm_paddr_t
 {
 
 	if (ctx->lowmem > 0) {
-		if (gaddr < ctx->lowmem && gaddr + len <= ctx->lowmem)
+		if (gaddr < ctx->lowmem && len <= ctx->lowmem &&
+		    gaddr + len <= ctx->lowmem)
 			return (ctx->baseaddr + gaddr);
 	}
 
 	if (ctx->highmem > 0) {
-		if (gaddr >= 4*GB && gaddr + len <= 4*GB + ctx->highmem)
-			return (ctx->baseaddr + gaddr);
+                if (gaddr >= 4*GB) {
+			if (gaddr < 4*GB + ctx->highmem &&
+			    len <= ctx->highmem &&
+			    gaddr + len <= 4*GB + ctx->highmem)
+				return (ctx->baseaddr + gaddr);
+		}
 	}
 
 	return (NULL);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612061850.uB6IojX6017320>