From 29ade3e610e9ec0a414635473770167ffba08a46 Mon Sep 17 00:00:00 2001
From: Weiyi Wang <wwylele@gmail.com>
Date: Sun, 11 Nov 2018 12:38:52 -0500
Subject: [PATCH] Process: check source/target overlap for Map/Unmap

---
 src/core/hle/kernel/process.cpp | 38 ++++++++++++++++++++++-----------
 1 file changed, 25 insertions(+), 13 deletions(-)

diff --git a/src/core/hle/kernel/process.cpp b/src/core/hle/kernel/process.cpp
index 97ff283b8..235d14043 100644
--- a/src/core/hle/kernel/process.cpp
+++ b/src/core/hle/kernel/process.cpp
@@ -321,15 +321,21 @@ ResultCode Process::Map(VAddr target, VAddr source, u32 size, VMAPermission perm
         return ERR_INVALID_ADDRESS_STATE;
     }
 
-    if (source == target) {
+    // Check range overlapping
+    if (source - target < size || target - source < size) {
         if (privileged) {
-            // privileged Map allows identical source and target address, which simply changes the
-            // state and the permission of the memory
-            return vm_manager.ChangeMemoryState(source, size, MemoryState::Private,
-                                                VMAPermission::ReadWrite, MemoryState::AliasCode,
-                                                perms);
+            if (source == target) {
+                // privileged Map allows identical source and target address, which simply changes
+                // the state and the permission of the memory
+                return vm_manager.ChangeMemoryState(source, size, MemoryState::Private,
+                                                    VMAPermission::ReadWrite,
+                                                    MemoryState::AliasCode, perms);
+            } else {
+                return ERR_INVALID_ADDRESS;
+            }
+        } else {
+            return ERR_INVALID_ADDRESS_STATE;
         }
-        return ERR_INVALID_ADDRESS_STATE;
     }
 
     MemoryState source_state = privileged ? MemoryState::Locked : MemoryState::Aliased;
@@ -367,14 +373,20 @@ ResultCode Process::Unmap(VAddr target, VAddr source, u32 size, VMAPermission pe
     // TODO(wwylele): check that the source and the target are actually a pair created by Map
     // Should return error 0xD8E007F5 in this case
 
-    if (source == target) {
+    if (source - target < size || target - source < size) {
         if (privileged) {
-            // privileged Unmap allows identical source and target address, which simply changes
-            // the state and the permission of the memory
-            return vm_manager.ChangeMemoryState(source, size, MemoryState::AliasCode,
-                                                VMAPermission::None, MemoryState::Private, perms);
+            if (source == target) {
+                // privileged Unmap allows identical source and target address, which simply changes
+                // the state and the permission of the memory
+                return vm_manager.ChangeMemoryState(source, size, MemoryState::AliasCode,
+                                                    VMAPermission::None, MemoryState::Private,
+                                                    perms);
+            } else {
+                return ERR_INVALID_ADDRESS;
+            }
+        } else {
+            return ERR_INVALID_ADDRESS_STATE;
         }
-        return ERR_INVALID_ADDRESS_STATE;
     }
 
     MemoryState source_state = privileged ? MemoryState::Locked : MemoryState::Aliased;