summaryrefslogtreecommitdiff
path: root/vm
diff options
context:
space:
mode:
authorRichard Braun <rbraun@sceen.net>2016-06-09 14:47:24 +0200
committerRichard Braun <rbraun@sceen.net>2016-06-09 14:51:05 +0200
commitad15259d2c522b9f14927c88b76dd720b497a9bd (patch)
tree60588a0ae7da2f5ccfc38e3a894e304514bf92fb /vm
parentc89365ecc6c06d98511bc947cd680c5f1ae91383 (diff)
Fix overflow checking on VM map copyin
* vm/vm_map (vm_map_copyin, vm_map_copyin_page_list): Check overflow before page alignment of source data.
Diffstat (limited to 'vm')
-rw-r--r--vm/vm_map.c28
1 files changed, 22 insertions, 6 deletions
diff --git a/vm/vm_map.c b/vm/vm_map.c
index 4476812d..4490878d 100644
--- a/vm/vm_map.c
+++ b/vm/vm_map.c
@@ -3145,6 +3145,14 @@ kern_return_t vm_map_copyin(
}
/*
+ * Check that the end address doesn't overflow
+ */
+
+ if ((src_addr + len) <= src_addr) {
+ return KERN_INVALID_ADDRESS;
+ }
+
+ /*
* Compute start and end of region
*/
@@ -3152,12 +3160,12 @@ kern_return_t vm_map_copyin(
src_end = round_page(src_addr + len);
/*
- * Check that the end address doesn't overflow
+ * XXX VM maps shouldn't end at maximum address
*/
- if (src_end <= src_start)
- if ((src_end < src_start) || (src_start != 0))
- return(KERN_INVALID_ADDRESS);
+ if (src_end == 0) {
+ return KERN_INVALID_ADDRESS;
+ }
/*
* Allocate a header element for the list.
@@ -3622,6 +3630,14 @@ kern_return_t vm_map_copyin_page_list(
}
/*
+ * Check that the end address doesn't overflow
+ */
+
+ if ((src_addr + len) <= src_addr) {
+ return KERN_INVALID_ADDRESS;
+ }
+
+ /*
* Compute start and end of region
*/
@@ -3629,10 +3645,10 @@ kern_return_t vm_map_copyin_page_list(
src_end = round_page(src_addr + len);
/*
- * Check that the end address doesn't overflow
+ * XXX VM maps shouldn't end at maximum address
*/
- if (src_end <= src_start && (src_end < src_start || src_start != 0)) {
+ if (src_end == 0) {
return KERN_INVALID_ADDRESS;
}
generated by cgit v1.2.3 (git 2.44.0) at 2024-05-02 13:11:58 +0000