From 22b0ff05d4a5b087d805d8147ca12efe410cb18f Mon Sep 17 00:00:00 2001
From: Jorropo <jorropo.pgm@gmail.com>
Date: Thu, 28 Jan 2021 22:36:20 +0100
Subject: [PATCH] Kernel: sys$mmap PAGE_ROUND_UP size before calling
 allocate_randomized (#5154)

`allocate_randomized` assert an already sanitized size but `mmap` were
just forwarding whatever the process asked so it was possible to
trigger a kernel panic from an unpriviliged process just by asking some
randomly placed memory and a size non alligned with the page size.
This fixes this issue by rounding up to the next page size before
calling `allocate_randomized`.

Fixes #5149
---
 Kernel/Syscalls/mmap.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Kernel/Syscalls/mmap.cpp b/Kernel/Syscalls/mmap.cpp
index be1ebdf818..49c14ddba9 100644
--- a/Kernel/Syscalls/mmap.cpp
+++ b/Kernel/Syscalls/mmap.cpp
@@ -27,6 +27,7 @@
 #include <AK/WeakPtr.h>
 #include <Kernel/FileSystem/FileDescription.h>
 #include <Kernel/Process.h>
+#include <Kernel/VM/MemoryManager.h>
 #include <Kernel/VM/PageDirectory.h>
 #include <Kernel/VM/PrivateInodeVMObject.h>
 #include <Kernel/VM/Region.h>
@@ -137,7 +138,7 @@ void* Process::sys$mmap(Userspace<const Syscall::SC_mmap_params*> user_params)
     Optional<Range> range;
 
     if (map_randomized) {
-        range = page_directory().range_allocator().allocate_randomized(size, alignment);
+        range = page_directory().range_allocator().allocate_randomized(PAGE_ROUND_UP(size), alignment);
     } else {
         range = allocate_range(VirtualAddress(addr), size, alignment);
         if (!range.has_value()) {