Kernel: Fix TOCTOU in syscall entry region validation

We were doing stack and syscall-origin region validations before taking the big process lock. There was a window of time where those regions could then be unmapped/remapped by another thread before we proceed with our syscall. This patch closes that window, and makes sys$get_stack_bounds() rely on the fact that we now know the userspace stack pointer to be valid. Thanks to @BenWiederhake for spotting this! :^)
2025-05-31 19:58:11 +00:00 · 2021-02-14 11:44:21 +01:00 · 2021-02-14 11:44:21 +01:00 · 4188373020
commit 4188373020
parent 10b7f6b77e
2 changed files with 6 additions and 4 deletions
--- a/Kernel/Syscall.cpp
+++ b/Kernel/Syscall.cpp
@ -169,6 +169,9 @@ void syscall_handler(TrapFrame* trap)
        PANIC("Syscall from process with IOPL != 0");
    }

+    // NOTE: We take the big process lock before inspecting memory regions.
+    process.big_lock().lock();
+
    if (!MM.validate_user_stack(process, VirtualAddress(regs.userspace_esp))) {
        dbgln("Invalid stack pointer: {:p}", regs.userspace_esp);
        handle_crash(regs, "Bad stack on syscall entry", SIGSTKFLT);
@ -190,7 +193,6 @@ void syscall_handler(TrapFrame* trap)
        handle_crash(regs, "Syscall from non-syscall region", SIGSEGV);
    }

-    process.big_lock().lock();
    u32 function = regs.eax;
    u32 arg1 = regs.edx;
    u32 arg2 = regs.ecx;