Author: glebius
Date: Tue Dec 6 18:54:43 2016
New Revision: 309647
URL: https://svnweb.freebsd.org/changeset/base/309647
Log:
Merge r309640 from head:
Fix possible integer overflow in guest memory bounds checking, which could
lead to access from the virtual machine to the heap of the bhyve(8) process.
Submitted by: Felix Wilhelm <fwilhelm ernw.de>
Patch by: grehan
Security: FreeBSD-SA-16:38.bhyve
Modified:
stable/11/lib/libvmmapi/vmmapi.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/lib/libvmmapi/vmmapi.c
==============================================================================
--- stable/11/lib/libvmmapi/vmmapi.c Tue Dec 6 18:54:04 2016
(r309646)
+++ stable/11/lib/libvmmapi/vmmapi.c Tue Dec 6 18:54:43 2016
(r309647)
@@ -426,13 +426,18 @@ vm_map_gpa(struct vmctx *ctx, vm_paddr_t
{
if (ctx->lowmem > 0) {
- if (gaddr < ctx->lowmem && gaddr + len <= ctx->lowmem)
+ if (gaddr < ctx->lowmem && len <= ctx->lowmem &&
+ gaddr + len <= ctx->lowmem)
return (ctx->baseaddr + gaddr);
}
if (ctx->highmem > 0) {
- if (gaddr >= 4*GB && gaddr + len <= 4*GB + ctx->highmem)
- return (ctx->baseaddr + gaddr);
+ if (gaddr >= 4*GB) {
+ if (gaddr < 4*GB + ctx->highmem &&
+ len <= ctx->highmem &&
+ gaddr + len <= 4*GB + ctx->highmem)
+ return (ctx->baseaddr + gaddr);
+ }
}
return (NULL);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
