From 3ea37b86e38a87ee35eefb5d8fcc38b8dc8e2903 Mon Sep 17 00:00:00 2001
From: Geoffrey McRae <geoff@hostfission.com>
Date: Mon, 26 Aug 2024 14:37:21 +1000
Subject: [PATCH] [module] check vmf->pgoff before using it

As reported by @Crispy-fried-chicken in issue #1133 there is a potential
XXE vulnerability here. This fixes this problem by verifying the value
of `vmf->pgff` does not exceed the bounds of the memory mapping.

Fixes: #1133
---
 module/dkms.conf | 2 +-
 module/kvmfr.c   | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/module/dkms.conf b/module/dkms.conf
index 486a61ed..332123e6 100644
--- a/module/dkms.conf
+++ b/module/dkms.conf
@@ -1,5 +1,5 @@
 PACKAGE_NAME="kvmfr"
-PACKAGE_VERSION="0.0.10"
+PACKAGE_VERSION="0.0.11"
 BUILT_MODULE_NAME[0]="${PACKAGE_NAME}"
 MAKE[0]="make KDIR=${kernel_source_dir}"
 CLEAN="make KDIR=${kernel_source_dir} clean"
diff --git a/module/kvmfr.c b/module/kvmfr.c
index c99a5d79..62149039 100644
--- a/module/kvmfr.c
+++ b/module/kvmfr.c
@@ -88,8 +88,12 @@ static vm_fault_t kvmfr_vm_fault(struct vm_fault *vmf)
 {
   struct vm_area_struct *vma = vmf->vma;
   struct kvmfrbuf *kbuf = (struct kvmfrbuf *)vma->vm_private_data;
+  pgoff_t pgoff = vmf->pgoff;
 
-  vmf->page = kbuf->pages[vmf->pgoff];
+  if (pgoff >= kbuf->pagecount)
+    return VM_FAULT_SIGBUS;
+
+  vmf->page = kbuf->pages[pgoff];
   get_page(vmf->page);
   return 0;
 }