Make sure we don't overflow a page during vm_readpage/vm_writepage.

Noticed over a month ago by Stefan Kempf <sn.kempf at t-online.de>, and I
shamefully just got around to committing it. Thanks Stefan.

1 files changed, 13 insertions, 1 deletions

diff --git a/sys/arch/amd64/amd64/vmm.c b/sys/arch/amd64/amd64/vmm.c
index e9acba4e691..cfdd4ecfe68 100644
--- a/sys/arch/amd64/amd64/vmm.c
+++ b/sys/arch/amd64/amd64/vmm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vmm.c,v 1.26 2015/12/17 09:29:28 mlarkin Exp $	*/
+/*	$OpenBSD: vmm.c,v 1.27 2015/12/24 09:26:45 mlarkin Exp $	*/
 /*
  * Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org>
  *
@@ -394,6 +394,12 @@ vm_readpage(struct vm_readpage_params *vrp)
 		return (ENOENT);
 	}
 
+	/* Check that the data to be read is within a page */
+	if (vrp->vrp_len > (PAGE_SIZE - (vrp->vrp_paddr & PAGE_MASK))) {
+		rw_exit_read(&vmm_softc->vm_lock);
+		return (EINVAL);
+	}
+
 	/* Calculate page containing vrp->vrp_paddr */
 	vr_page = vrp->vrp_paddr & ~PAGE_MASK;
 
@@ -527,6 +533,12 @@ vm_writepage(struct vm_writepage_params *vwp)
 		return (ENOENT);
 	}
 
+	/* Check that the data to be written is within a page */
+	if (vwp->vwp_len > (PAGE_SIZE - (vwp->vwp_paddr & PAGE_MASK))) {
+		rw_exit_read(&vmm_softc->vm_lock);
+		return (EINVAL);
+	}
+
 	/* Calculate page containing vwp->vwp_paddr */
 	vw_page = vwp->vwp_paddr & ~PAGE_MASK;