libkvm: Bounds check (more) PTE indices.

2026-06-04 14:26:03 -04:00 · 2016-07-18 01:03:39 +00:00 · 2016-07-18 01:03:39 +00:00 · 8fb15a24ce
commit 8fb15a24ce
parent 197eca22ed
3 changed files with 10 additions and 0 deletions
--- a/lib/libkvm/kvm_minidump_arm.c
+++ b/lib/libkvm/kvm_minidump_arm.c
@ -184,6 +184,8 @@ _arm_minidump_kvatop(kvm_t *kd, kvaddr_t va, off_t *pa)

 	if (va >= vm->hdr.kernbase) {
 		pteindex = (va - vm->hdr.kernbase) >> ARM_PAGE_SHIFT;
+		if (pteindex >= vm->hdr.ptesize / sizeof(*ptemap))
+			goto invalid;
 		pte = _kvm32toh(kd, ptemap[pteindex]);
 		if ((pte & ARM_L2_TYPE_MASK) == ARM_L2_TYPE_INV) {
 			_kvm_err(kd, kd->program,
--- a/lib/libkvm/kvm_minidump_i386.c
+++ b/lib/libkvm/kvm_minidump_i386.c
@ -162,6 +162,8 @@ _i386_minidump_vatop_pae(kvm_t *kd, kvaddr_t va, off_t *pa)

 	if (va >= vm->hdr.kernbase) {
 		pteindex = (va - vm->hdr.kernbase) >> I386_PAGE_SHIFT;
+		if (pteindex >= vm->hdr.ptesize / sizeof(*ptemap))
+			goto invalid;
 		pte = le64toh(ptemap[pteindex]);
 		if ((pte & I386_PG_V) == 0) {
 			_kvm_err(kd, kd->program,
@ -207,6 +209,8 @@ _i386_minidump_vatop(kvm_t *kd, kvaddr_t va, off_t *pa)

 	if (va >= vm->hdr.kernbase) {
 		pteindex = (va - vm->hdr.kernbase) >> I386_PAGE_SHIFT;
+		if (pteindex >= vm->hdr.ptesize / sizeof(*ptemap))
+			goto invalid;
 		pte = le32toh(ptemap[pteindex]);
 		if ((pte & I386_PG_V) == 0) {
 			_kvm_err(kd, kd->program,
--- a/lib/libkvm/kvm_minidump_mips.c
+++ b/lib/libkvm/kvm_minidump_mips.c
@ -221,9 +221,13 @@ _mips_minidump_kvatop(kvm_t *kd, kvaddr_t va, off_t *pa)
 	if (va >= vm->hdr.kernbase) {
 		pteindex = (va - vm->hdr.kernbase) >> MIPS_PAGE_SHIFT;
 		if (vm->pte_size == 64) {
+			if (pteindex >= vm->hdr.ptesize / sizeof(*ptemap64))
+				goto invalid;
 			pte = _kvm64toh(kd, ptemap64[pteindex]);
 			a = MIPS64_PTE_TO_PA(pte);
 		} else {
+			if (pteindex >= vm->hdr.ptesize / sizeof(*ptemap32))
+				goto invalid;
 			pte = _kvm32toh(kd, ptemap32[pteindex]);
 			a = MIPS32_PTE_TO_PA(pte);
 		}