1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 15:37:46 +00:00

Kernel: sys$mmap PAGE_ROUND_UP size before calling allocate_randomized (#5154)

`allocate_randomized` assert an already sanitized size but `mmap` were
just forwarding whatever the process asked so it was possible to
trigger a kernel panic from an unpriviliged process just by asking some
randomly placed memory and a size non alligned with the page size.
This fixes this issue by rounding up to the next page size before
calling `allocate_randomized`.

Fixes #5149
This commit is contained in:
Jorropo 2021-01-28 22:36:20 +01:00 committed by GitHub
parent eafe4f942d
commit 22b0ff05d4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -27,6 +27,7 @@
#include <AK/WeakPtr.h>
#include <Kernel/FileSystem/FileDescription.h>
#include <Kernel/Process.h>
#include <Kernel/VM/MemoryManager.h>
#include <Kernel/VM/PageDirectory.h>
#include <Kernel/VM/PrivateInodeVMObject.h>
#include <Kernel/VM/Region.h>
@ -137,7 +138,7 @@ void* Process::sys$mmap(Userspace<const Syscall::SC_mmap_params*> user_params)
Optional<Range> range;
if (map_randomized) {
range = page_directory().range_allocator().allocate_randomized(size, alignment);
range = page_directory().range_allocator().allocate_randomized(PAGE_ROUND_UP(size), alignment);
} else {
range = allocate_range(VirtualAddress(addr), size, alignment);
if (!range.has_value()) {