From 8fb15a24ceb2fa5cfd4849466dd9ca2a27ce2bff Mon Sep 17 00:00:00 2001
From: Will Andrews <will@FreeBSD.org>
Date: Mon, 18 Jul 2016 01:03:39 +0000
Subject: [PATCH] libkvm: Bounds check (more) PTE indices.

---
 lib/libkvm/kvm_minidump_arm.c  | 2 ++
 lib/libkvm/kvm_minidump_i386.c | 4 ++++
 lib/libkvm/kvm_minidump_mips.c | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/lib/libkvm/kvm_minidump_arm.c b/lib/libkvm/kvm_minidump_arm.c
index e3063ec6233..f24a3eea1f3 100644
--- a/lib/libkvm/kvm_minidump_arm.c
+++ b/lib/libkvm/kvm_minidump_arm.c
@@ -184,6 +184,8 @@ _arm_minidump_kvatop(kvm_t *kd, kvaddr_t va, off_t *pa)
 
 	if (va >= vm->hdr.kernbase) {
 		pteindex = (va - vm->hdr.kernbase) >> ARM_PAGE_SHIFT;
+		if (pteindex >= vm->hdr.ptesize / sizeof(*ptemap))
+			goto invalid;
 		pte = _kvm32toh(kd, ptemap[pteindex]);
 		if ((pte & ARM_L2_TYPE_MASK) == ARM_L2_TYPE_INV) {
 			_kvm_err(kd, kd->program,
diff --git a/lib/libkvm/kvm_minidump_i386.c b/lib/libkvm/kvm_minidump_i386.c
index 20871498c22..a154adf91a5 100644
--- a/lib/libkvm/kvm_minidump_i386.c
+++ b/lib/libkvm/kvm_minidump_i386.c
@@ -162,6 +162,8 @@ _i386_minidump_vatop_pae(kvm_t *kd, kvaddr_t va, off_t *pa)
 
 	if (va >= vm->hdr.kernbase) {
 		pteindex = (va - vm->hdr.kernbase) >> I386_PAGE_SHIFT;
+		if (pteindex >= vm->hdr.ptesize / sizeof(*ptemap))
+			goto invalid;
 		pte = le64toh(ptemap[pteindex]);
 		if ((pte & I386_PG_V) == 0) {
 			_kvm_err(kd, kd->program,
@@ -207,6 +209,8 @@ _i386_minidump_vatop(kvm_t *kd, kvaddr_t va, off_t *pa)
 
 	if (va >= vm->hdr.kernbase) {
 		pteindex = (va - vm->hdr.kernbase) >> I386_PAGE_SHIFT;
+		if (pteindex >= vm->hdr.ptesize / sizeof(*ptemap))
+			goto invalid;
 		pte = le32toh(ptemap[pteindex]);
 		if ((pte & I386_PG_V) == 0) {
 			_kvm_err(kd, kd->program,
diff --git a/lib/libkvm/kvm_minidump_mips.c b/lib/libkvm/kvm_minidump_mips.c
index 97b0824fa23..bec6426e168 100644
--- a/lib/libkvm/kvm_minidump_mips.c
+++ b/lib/libkvm/kvm_minidump_mips.c
@@ -221,9 +221,13 @@ _mips_minidump_kvatop(kvm_t *kd, kvaddr_t va, off_t *pa)
 	if (va >= vm->hdr.kernbase) {
 		pteindex = (va - vm->hdr.kernbase) >> MIPS_PAGE_SHIFT;
 		if (vm->pte_size == 64) {
+			if (pteindex >= vm->hdr.ptesize / sizeof(*ptemap64))
+				goto invalid;
 			pte = _kvm64toh(kd, ptemap64[pteindex]);
 			a = MIPS64_PTE_TO_PA(pte);
 		} else {
+			if (pteindex >= vm->hdr.ptesize / sizeof(*ptemap32))
+				goto invalid;
 			pte = _kvm32toh(kd, ptemap32[pteindex]);
 			a = MIPS32_PTE_TO_PA(pte);
 		}