From 303620ea85c47928fce0f121b213e8ea0190f335 Mon Sep 17 00:00:00 2001
From: Brian Gianforcaro <b.gianfo@gmail.com>
Date: Wed, 24 Feb 2021 06:02:51 -0800
Subject: [PATCH] Kernel: Fix pointer overflow in create_thread

KUBSAN found this overflow from syscall fuzzing.

Fixes #5498
---
 Kernel/Syscalls/thread.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Kernel/Syscalls/thread.cpp b/Kernel/Syscalls/thread.cpp
index 6ad8e266c7..34d285f417 100644
--- a/Kernel/Syscalls/thread.cpp
+++ b/Kernel/Syscalls/thread.cpp
@@ -24,6 +24,7 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#include <AK/Checked.h>
 #include <AK/String.h>
 #include <AK/StringBuilder.h>
 #include <AK/StringView.h>
@@ -45,6 +46,9 @@ int Process::sys$create_thread(void* (*entry)(void*), Userspace<const Syscall::S
     int schedule_priority = params.m_schedule_priority;
     unsigned stack_size = params.m_stack_size;
 
+    if (Checked<FlatPtr>::addition_would_overflow((FlatPtr)params.m_stack_location, stack_size))
+        return -EOVERFLOW;
+
     auto user_stack_address = (u8*)params.m_stack_location + stack_size;
 
     if (!MM.validate_user_stack(*this, VirtualAddress(user_stack_address - 4)))