Fix possible integer overflow in guest memory bounds checking, which could

lead to access from the virtual machine to the heap of the bhyve(8) process. Submitted by: Felix Wilhelm <fwilhelm ernw.de> Patch by: grehan Security: FreeBSD-SA-16:38.bhyve
2016-12-06 18:50:44 +00:00 · 2016-12-06 18:50:44 +00:00 · 224897e572
commit 224897e572
parent e7aed7dacb
1 changed files with 8 additions and 3 deletions
--- a/lib/libvmmapi/vmmapi.c
+++ b/lib/libvmmapi/vmmapi.c
@ -426,13 +426,18 @@ vm_map_gpa(struct vmctx *ctx, vm_paddr_t gaddr, size_t len)
 {

 	if (ctx->lowmem > 0) {
-		if (gaddr < ctx->lowmem && gaddr + len <= ctx->lowmem)
+		if (gaddr < ctx->lowmem && len <= ctx->lowmem &&
+		    gaddr + len <= ctx->lowmem)
 			return (ctx->baseaddr + gaddr);
 	}

 	if (ctx->highmem > 0) {
-		if (gaddr >= 4*GB && gaddr + len <= 4*GB + ctx->highmem)
-			return (ctx->baseaddr + gaddr);
+                if (gaddr >= 4*GB) {
+			if (gaddr < 4*GB + ctx->highmem &&
+			    len <= ctx->highmem &&
+			    gaddr + len <= 4*GB + ctx->highmem)
+				return (ctx->baseaddr + gaddr);
+		}
 	}

 	return (NULL);