Kernel: Fix pointer overflow in create_thread

KUBSAN found this overflow from syscall fuzzing. Fixes #5498
2025-07-25 14:07:46 +00:00 · 2021-02-24 06:02:51 -08:00 · 2021-02-24 06:02:51 -08:00 · 303620ea85
commit 303620ea85
parent 7db8ccc0e4
1 changed files with 4 additions and 0 deletions
--- a/Kernel/Syscalls/thread.cpp
+++ b/Kernel/Syscalls/thread.cpp
@ -24,6 +24,7 @@
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

+#include <AK/Checked.h>
 #include <AK/String.h>
 #include <AK/StringBuilder.h>
 #include <AK/StringView.h>
@ -45,6 +46,9 @@ int Process::sys$create_thread(void* (*entry)(void*), Userspace<const Syscall::S
    int schedule_priority = params.m_schedule_priority;
    unsigned stack_size = params.m_stack_size;

+    if (Checked<FlatPtr>::addition_would_overflow((FlatPtr)params.m_stack_location, stack_size))
+        return -EOVERFLOW;
+
    auto user_stack_address = (u8*)params.m_stack_location + stack_size;

    if (!MM.validate_user_stack(*this, VirtualAddress(user_stack_address - 4)))