From 198d64180886e6fad2997513c4c8f68b1338f4e4 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Sun, 14 Feb 2021 09:03:54 +0100
Subject: [PATCH] Kernel: Panic on attempt to map mmap'ed page at a kernel
 address

If we somehow get tricked into mapping user-controlled mmap memory
at a kernel address, let's just panic the kernel.
---
 Kernel/VM/Region.cpp | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Kernel/VM/Region.cpp b/Kernel/VM/Region.cpp
index dcf416149a..94bcb677c2 100644
--- a/Kernel/VM/Region.cpp
+++ b/Kernel/VM/Region.cpp
@@ -28,6 +28,7 @@
 #include <AK/StringView.h>
 #include <Kernel/Debug.h>
 #include <Kernel/FileSystem/Inode.h>
+#include <Kernel/Panic.h>
 #include <Kernel/Process.h>
 #include <Kernel/Thread.h>
 #include <Kernel/VM/AnonymousVMObject.h>
@@ -258,6 +259,12 @@ bool Region::map_individual_page_impl(size_t page_index)
 {
     ASSERT(m_page_directory->get_lock().own_lock());
     auto page_vaddr = vaddr_from_page_index(page_index);
+
+    bool user_allowed = page_vaddr.get() >= 0x00800000 && is_user_address(page_vaddr);
+    if (is_mmap() && !user_allowed) {
+        PANIC("About to map mmap'ed page at a kernel address");
+    }
+
     auto* pte = MM.ensure_pte(*m_page_directory, page_vaddr);
     if (!pte)
         return false;
@@ -274,7 +281,7 @@ bool Region::map_individual_page_impl(size_t page_index)
             pte->set_writable(is_writable());
         if (Processor::current().has_feature(CPUFeature::NX))
             pte->set_execute_disabled(!is_executable());
-        pte->set_user_allowed(page_vaddr.get() >= 0x00800000 && is_user_address(page_vaddr));
+        pte->set_user_allowed(user_allowed);
     }
     return true;
 }