From edc816d625f5f16b8d9fc7cfb5f2d5d75c9afe36 Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Tue, 6 Dec 2016 18:50:44 +0000
Subject: [PATCH] Fix possible integer overflow in guest memory bounds
 checking, which could lead to access from the virtual machine to the heap of
 the bhyve(8) process.

Submitted by:	Felix Wilhelm <fwilhelm ernw.de>
Patch by:	grehan
Security:	FreeBSD-SA-16:38.bhyve
---
 lib/libvmmapi/vmmapi.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/libvmmapi/vmmapi.c b/lib/libvmmapi/vmmapi.c
index 3a6f210e805..8a4e3aec104 100644
--- a/lib/libvmmapi/vmmapi.c
+++ b/lib/libvmmapi/vmmapi.c
@@ -426,13 +426,18 @@ vm_map_gpa(struct vmctx *ctx, vm_paddr_t gaddr, size_t len)
 {
 
 	if (ctx->lowmem > 0) {
-		if (gaddr < ctx->lowmem && gaddr + len <= ctx->lowmem)
+		if (gaddr < ctx->lowmem && len <= ctx->lowmem &&
+		    gaddr + len <= ctx->lowmem)
 			return (ctx->baseaddr + gaddr);
 	}
 
 	if (ctx->highmem > 0) {
-		if (gaddr >= 4*GB && gaddr + len <= 4*GB + ctx->highmem)
-			return (ctx->baseaddr + gaddr);
+                if (gaddr >= 4*GB) {
+			if (gaddr < 4*GB + ctx->highmem &&
+			    len <= ctx->highmem &&
+			    gaddr + len <= 4*GB + ctx->highmem)
+				return (ctx->baseaddr + gaddr);
+		}
 	}
 
 	return (NULL);