From f264e4e233ec1083a30cb6b50d0d0ac53cc6fb86 Mon Sep 17 00:00:00 2001
From: jhb <jhb@FreeBSD.org>
Date: Fri, 2 Dec 2016 19:02:12 +0000
Subject: MFC 303753,308004: Add bounds checking on addresses used with
 /dev/mem.

303753:
Don't permit mappings of invalid physical addresses on amd64 via /dev/mem.

308004:
MFamd64: Add bounds checks on addresses used with /dev/mem.

Reject attempts to read from or memory map offsets in /dev/mem that are
beyond the maximum-supported physical address of the current CPU.
---
 sys/i386/i386/mem.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'sys/i386')

diff --git a/sys/i386/i386/mem.c b/sys/i386/i386/mem.c
index b036bd3..003f207f 100644
--- a/sys/i386/i386/mem.c
+++ b/sys/i386/i386/mem.c
@@ -108,8 +108,11 @@ memrw(struct cdev *dev, struct uio *uio, int flags)
 			continue;
 		}
 		if (dev2unit(dev) == CDEV_MINOR_MEM) {
-			pa = uio->uio_offset;
-			pa &= ~PAGE_MASK;
+			if (uio->uio_offset > cpu_getmaxphyaddr()) {
+				error = EFAULT;
+				break;
+			}
+			pa = trunc_page(uio->uio_offset);
 		} else {
 			/*
 			 * Extract the physical page since the mapping may
@@ -161,9 +164,11 @@ int
 memmmap(struct cdev *dev, vm_ooffset_t offset, vm_paddr_t *paddr,
     int prot __unused, vm_memattr_t *memattr __unused)
 {
-	if (dev2unit(dev) == CDEV_MINOR_MEM)
+	if (dev2unit(dev) == CDEV_MINOR_MEM) {
+		if (offset > cpu_getmaxphyaddr())
+			return (-1);
 		*paddr = offset;
-	else if (dev2unit(dev) == CDEV_MINOR_KMEM)
+	} else if (dev2unit(dev) == CDEV_MINOR_KMEM)
         	*paddr = vtophys(offset);
 	/* else panic! */
 	return (0);
-- 
cgit v1.1