From ad15259d2c522b9f14927c88b76dd720b497a9bd Mon Sep 17 00:00:00 2001 From: Richard Braun Date: Thu, 9 Jun 2016 14:47:24 +0200 Subject: Fix overflow checking on VM map copyin * vm/vm_map (vm_map_copyin, vm_map_copyin_page_list): Check overflow before page alignment of source data. --- vm/vm_map.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) (limited to 'vm/vm_map.c') diff --git a/vm/vm_map.c b/vm/vm_map.c index 4476812d..4490878d 100644 --- a/vm/vm_map.c +++ b/vm/vm_map.c @@ -3144,6 +3144,14 @@ kern_return_t vm_map_copyin( return(KERN_SUCCESS); } + /* + * Check that the end address doesn't overflow + */ + + if ((src_addr + len) <= src_addr) { + return KERN_INVALID_ADDRESS; + } + /* * Compute start and end of region */ @@ -3152,12 +3160,12 @@ kern_return_t vm_map_copyin( src_end = round_page(src_addr + len); /* - * Check that the end address doesn't overflow + * XXX VM maps shouldn't end at maximum address */ - if (src_end <= src_start) - if ((src_end < src_start) || (src_start != 0)) - return(KERN_INVALID_ADDRESS); + if (src_end == 0) { + return KERN_INVALID_ADDRESS; + } /* * Allocate a header element for the list. @@ -3621,6 +3629,14 @@ kern_return_t vm_map_copyin_page_list( return(KERN_SUCCESS); } + /* + * Check that the end address doesn't overflow + */ + + if ((src_addr + len) <= src_addr) { + return KERN_INVALID_ADDRESS; + } + /* * Compute start and end of region */ @@ -3629,10 +3645,10 @@ kern_return_t vm_map_copyin_page_list( src_end = round_page(src_addr + len); /* - * Check that the end address doesn't overflow + * XXX VM maps shouldn't end at maximum address */ - if (src_end <= src_start && (src_end < src_start || src_start != 0)) { + if (src_end == 0) { return KERN_INVALID_ADDRESS; } -- cgit v1.2.3