RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 20:47:45 +00:00
Code Issues Activity Actions

Kernel: Make Region weakable and use WeakPtr<Region> instead of Region*

Browse source 
This turns use-after-free bugs into null pointer dereferences instead.
This commit is contained in:
Andreas Kling 2020-02-24 13:24:30 +01:00
parent 79576f9280
commit 30a8991dbf
5 changed files with 14 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Kernel/Process.cpp
View file

@ -273,7 +273,7 @@ Region* Process::region_from_range(const Range& range)
for (auto& region : m_regions) { for (auto& region : m_regions) {
if (region.vaddr() == range.base() && region.size() == size) { if (region.vaddr() == range.base() && region.size() == size) {
m_region_lookup_cache.range = range; m_region_lookup_cache.range = range;
m_region_lookup_cache.region = &region; m_region_lookup_cache.region = region.make_weak_ptr();
return &region; return &region;
} }
} }

3
Kernel/Process.h
View file

@ -31,6 +31,7 @@
#include <AK/InlineLinkedList.h> #include <AK/InlineLinkedList.h>
#include <AK/NonnullOwnPtrVector.h> #include <AK/NonnullOwnPtrVector.h>
#include <AK/String.h> #include <AK/String.h>
#include <AK/WeakPtr.h>
#include <Kernel/FileSystem/InodeMetadata.h> #include <Kernel/FileSystem/InodeMetadata.h>
#include <Kernel/Forward.h> #include <Kernel/Forward.h>
#include <Kernel/Lock.h> #include <Kernel/Lock.h>
@ -479,7 +480,7 @@ private:
NonnullOwnPtrVector<Region> m_regions; NonnullOwnPtrVector<Region> m_regions;
struct RegionLookupCache { struct RegionLookupCache {
Range range; Range range;
Region* region { nullptr }; WeakPtr<Region> region;
}; };
RegionLookupCache m_region_lookup_cache; RegionLookupCache m_region_lookup_cache;

9
Kernel/SharedBuffer.cpp
View file

@ -86,12 +86,13 @@ void* SharedBuffer::ref_for_process_and_get_address(Process& process)
for (auto& ref : m_refs) { for (auto& ref : m_refs) {
if (ref.pid == process.pid()) { if (ref.pid == process.pid()) {
ref.count++; if (!ref.region) {
m_total_refs++; auto* region = process.allocate_region_with_vmobject(VirtualAddress(), size(), m_vmobject, 0, "SharedBuffer", PROT_READ | (m_writable ? PROT_WRITE : 0));
if (ref.region == nullptr) { ref.region = region->make_weak_ptr();
ref.region = process.allocate_region_with_vmobject(VirtualAddress(), size(), m_vmobject, 0, "SharedBuffer", PROT_READ | (m_writable ? PROT_WRITE : 0));
ref.region->set_shared(true); ref.region->set_shared(true);
} }
ref.count++;
m_total_refs++;
sanity_check("ref_for_process_and_get_address"); sanity_check("ref_for_process_and_get_address");
return ref.region->vaddr().as_ptr(); return ref.region->vaddr().as_ptr();
} }

3
Kernel/SharedBuffer.h
View file

@ -27,6 +27,7 @@
#pragma once #pragma once
#include <AK/OwnPtr.h> #include <AK/OwnPtr.h>
#include <AK/WeakPtr.h>
#include <Kernel/VM/MemoryManager.h> #include <Kernel/VM/MemoryManager.h>
#include <Kernel/VM/PurgeableVMObject.h> #include <Kernel/VM/PurgeableVMObject.h>
@ -42,7 +43,7 @@ private:
pid_t pid; pid_t pid;
unsigned count { 0 }; unsigned count { 0 };
Region* region { nullptr }; WeakPtr<Region> region;
}; };
public: public:

5
Kernel/VM/Region.h
View file

@ -28,6 +28,7 @@
#include <AK/InlineLinkedList.h> #include <AK/InlineLinkedList.h>
#include <AK/String.h> #include <AK/String.h>
#include <AK/Weakable.h>
#include <Kernel/Heap/SlabAllocator.h> #include <Kernel/Heap/SlabAllocator.h>
#include <Kernel/VM/RangeAllocator.h> #include <Kernel/VM/RangeAllocator.h>
@ -41,7 +42,9 @@ enum class PageFaultResponse {
Continue, Continue,
}; };
class Region final : public InlineLinkedListNode<Region> { class Region final
: public InlineLinkedListNode<Region>
, public Weakable<Region> {
friend class MemoryManager; friend class MemoryManager;
MAKE_SLAB_ALLOCATED(Region) MAKE_SLAB_ALLOCATED(Region)