RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-23 18:25:08 +00:00
Code Issues Activity Actions

Kernel: User pointer validation should reject kernel-only addresses

Browse source 
We were happily allowing syscalls with pointers into kernel-only
regions (virtual address >= 0xc0000000).

This patch fixes that by only considering user regions in the current
process, and also double-checking the Region::is_user_accessible() flag
before approving an access.

Thanks to Fire30 for finding the bug! :^)
This commit is contained in:
Andreas Kling 2019-12-31 00:21:50 +01:00
parent 25d7a7efa6
commit 0fc24fe256
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Kernel/VM/MemoryManager.cpp
View file

@ -592,14 +592,14 @@ bool MemoryManager::validate_user_stack(const Process& process, VirtualAddress v
bool MemoryManager::validate_user_read(const Process& process, VirtualAddress vaddr) const bool MemoryManager::validate_user_read(const Process& process, VirtualAddress vaddr) const
{ {
auto* region = region_from_vaddr(process, vaddr); auto* region = user_region_from_vaddr(const_cast<Process&>(process), vaddr);
return region && region->is_readable(); return region && region->is_user_accessible() && region->is_readable();
} }
bool MemoryManager::validate_user_write(const Process& process, VirtualAddress vaddr) const bool MemoryManager::validate_user_write(const Process& process, VirtualAddress vaddr) const
{ {
auto* region = region_from_vaddr(process, vaddr); auto* region = user_region_from_vaddr(const_cast<Process&>(process), vaddr);
return region && region->is_writable(); return region && region->is_user_accessible() && region->is_writable();
} }
void MemoryManager::register_vmobject(VMObject& vmobject) void MemoryManager::register_vmobject(VMObject& vmobject)