xnu-1504.3.12.tar.gz

[apple/xnu.git] / osfmk / x86_64 / loose_ends.c

diff --git a/osfmk/x86_64/loose_ends.c b/osfmk/x86_64/loose_ends.c
index 5ad70b32332065d0c911c3df05c6d64c9912e999..e8a1605a75957a0fdb12d28d7f0c595d7f2894e6 100644 (file)
--- a/osfmk/x86_64/loose_ends.c
+++ b/osfmk/x86_64/loose_ends.c
@@ -663,14 +663,15 @@ copyio(int copy_type, user_addr_t user_addr, char *kernel_addr,
 
         pmap = thread->map->pmap;
 
+
+       assert((vm_offset_t)kernel_addr >= VM_MIN_KERNEL_AND_KEXT_ADDRESS ||
+              copy_type == COPYINPHYS || copy_type == COPYOUTPHYS);
+
        /* Sanity and security check for addresses to/from a user */
-       if ((copy_type == COPYIN ||
-            copy_type == COPYINSTR ||
-            copy_type == COPYOUT) &&
-           (pmap != kernel_pmap) &&
-           ((vm_offset_t)kernel_addr < VM_MIN_KERNEL_AND_KEXT_ADDRESS ||
-            !IS_USERADDR64_CANONICAL(user_addr))) {
-               error = EACCES;
+
+       if (((pmap != kernel_pmap) && (use_kernel_map == 0)) &&
+           ((nbytes && (user_addr+nbytes <= user_addr)) || ((user_addr + nbytes) > vm_map_max(thread->map)))) {
+               error = EFAULT;
                goto out;
        }