Author: glebius
Date: Tue Dec 6 18:50:44 2016
New Revision: 309640
URL: https://svnweb.freebsd.org/changeset/base/309640
Log:
Fix possible integer overflow in guest memory bounds checking, which could
lead to access from the virtual machine to the heap of the bhyve(8) process.
Submitted by: Felix Wilhelm <fwilhelm ernw.de>
Patch by: grehan
Security: FreeBSD-SA-16:38.bhyve
Modified:
head/lib/libvmmapi/vmmapi.c
Modified: head/lib/libvmmapi/vmmapi.c
==============================================================================
--- head/lib/libvmmapi/vmmapi.c Tue Dec 6 18:50:33 2016 (r309639)
+++ head/lib/libvmmapi/vmmapi.c Tue Dec 6 18:50:44 2016 (r309640)
@@ -426,13 +426,18 @@ vm_map_gpa(struct vmctx *ctx, vm_paddr_t
{
if (ctx->lowmem > 0) {
- if (gaddr < ctx->lowmem && gaddr + len <= ctx->lowmem)
+ if (gaddr < ctx->lowmem && len <= ctx->lowmem &&
+ gaddr + len <= ctx->lowmem)
return (ctx->baseaddr + gaddr);
}
if (ctx->highmem > 0) {
- if (gaddr >= 4*GB && gaddr + len <= 4*GB + ctx->highmem)
- return (ctx->baseaddr + gaddr);
+ if (gaddr >= 4*GB) {
+ if (gaddr < 4*GB + ctx->highmem &&
+ len <= ctx->highmem &&
+ gaddr + len <= 4*GB + ctx->highmem)
+ return (ctx->baseaddr + gaddr);
+ }
}
return (NULL);
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
