1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 23:17:45 +00:00

Kernel: Fix pointer overflow in create_thread

KUBSAN found this overflow from syscall fuzzing.

Fixes #5498
This commit is contained in:
Brian Gianforcaro 2021-02-24 06:02:51 -08:00 committed by Andreas Kling
parent 7db8ccc0e4
commit 303620ea85

View file

@ -24,6 +24,7 @@
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <AK/Checked.h>
#include <AK/String.h>
#include <AK/StringBuilder.h>
#include <AK/StringView.h>
@ -45,6 +46,9 @@ int Process::sys$create_thread(void* (*entry)(void*), Userspace<const Syscall::S
int schedule_priority = params.m_schedule_priority;
unsigned stack_size = params.m_stack_size;
if (Checked<FlatPtr>::addition_would_overflow((FlatPtr)params.m_stack_location, stack_size))
return -EOVERFLOW;
auto user_stack_address = (u8*)params.m_stack_location + stack_size;
if (!MM.validate_user_stack(*this, VirtualAddress(user_stack_address - 4)))