From 890556b1a84fcb87800478d87dc6eb53d420885d Mon Sep 17 00:00:00 2001 From: Mike Larkin Date: Thu, 24 Dec 2015 09:26:46 +0000 Subject: Make sure we don't overflow a page during vm_readpage/vm_writepage. Noticed over a month ago by Stefan Kempf , and I shamefully just got around to committing it. Thanks Stefan. --- sys/arch/amd64/amd64/vmm.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/sys/arch/amd64/amd64/vmm.c b/sys/arch/amd64/amd64/vmm.c index e9acba4e691..cfdd4ecfe68 100644 --- a/sys/arch/amd64/amd64/vmm.c +++ b/sys/arch/amd64/amd64/vmm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vmm.c,v 1.26 2015/12/17 09:29:28 mlarkin Exp $ */ +/* $OpenBSD: vmm.c,v 1.27 2015/12/24 09:26:45 mlarkin Exp $ */ /* * Copyright (c) 2014 Mike Larkin * @@ -394,6 +394,12 @@ vm_readpage(struct vm_readpage_params *vrp) return (ENOENT); } + /* Check that the data to be read is within a page */ + if (vrp->vrp_len > (PAGE_SIZE - (vrp->vrp_paddr & PAGE_MASK))) { + rw_exit_read(&vmm_softc->vm_lock); + return (EINVAL); + } + /* Calculate page containing vrp->vrp_paddr */ vr_page = vrp->vrp_paddr & ~PAGE_MASK; @@ -527,6 +533,12 @@ vm_writepage(struct vm_writepage_params *vwp) return (ENOENT); } + /* Check that the data to be written is within a page */ + if (vwp->vwp_len > (PAGE_SIZE - (vwp->vwp_paddr & PAGE_MASK))) { + rw_exit_read(&vmm_softc->vm_lock); + return (EINVAL); + } + /* Calculate page containing vwp->vwp_paddr */ vw_page = vwp->vwp_paddr & ~PAGE_MASK; -- cgit v1.2.3