From 47cc3e68c614e47b7bb344fdb49e6ad479c80234 Mon Sep 17 00:00:00 2001
From: Andreas Kling <awesomekling@gmail.com>
Date: Mon, 6 Jan 2020 13:27:14 +0100
Subject: [PATCH] Kernel: Remove bogus kernel image access validation checks

This code had been misinterpreting the Multiboot ELF section headers
since the beginning. Furthermore QEMU wasn't even passing us any
headers at all, so this wasn't checking anything.
---
 Kernel/Process.cpp | 42 ------------------------------------------
 1 file changed, 42 deletions(-)

diff --git a/Kernel/Process.cpp b/Kernel/Process.cpp
index eaec04e787..5e202ef373 100644
--- a/Kernel/Process.cpp
+++ b/Kernel/Process.cpp
@@ -44,7 +44,6 @@
 #include <LibC/limits.h>
 #include <LibC/signal_numbers.h>
 #include <LibELF/ELFLoader.h>
-#include <LibELF/exec_elf.h>
 
 //#define DEBUG_POLL_SELECT
 //#define DEBUG_IO
@@ -2040,43 +2039,12 @@ pid_t Process::sys$waitpid(pid_t waitee, int* wstatus, int options)
     return waitee_pid;
 }
 
-enum class KernelMemoryCheckResult {
-    NotInsideKernelMemory,
-    AccessGranted,
-    AccessDenied
-};
-
-static KernelMemoryCheckResult check_kernel_memory_access(VirtualAddress vaddr, bool is_write)
-{
-    auto& sections = multiboot_info_ptr->u.elf_sec;
-
-    auto* kernel_program_headers = (Elf32_Phdr*)(sections.addr);
-    for (unsigned i = 0; i < sections.num; ++i) {
-        auto& segment = kernel_program_headers[i];
-        if (segment.p_type != PT_LOAD || !segment.p_vaddr || !segment.p_memsz)
-            continue;
-        if (vaddr.get() < segment.p_vaddr || vaddr.get() > (segment.p_vaddr + segment.p_memsz))
-            continue;
-        if (is_write && !(kernel_program_headers[i].p_flags & PF_W))
-            return KernelMemoryCheckResult::AccessDenied;
-        if (!is_write && !(kernel_program_headers[i].p_flags & PF_R))
-            return KernelMemoryCheckResult::AccessDenied;
-        return KernelMemoryCheckResult::AccessGranted;
-    }
-    return KernelMemoryCheckResult::NotInsideKernelMemory;
-}
-
 bool Process::validate_read_from_kernel(VirtualAddress vaddr, ssize_t size) const
 {
     if (vaddr.is_null())
         return false;
     // We check extra carefully here since the first 4MB of the address space is identity-mapped.
     // This code allows access outside of the known used address ranges to get caught.
-    auto kmc_result = check_kernel_memory_access(vaddr, false);
-    if (kmc_result == KernelMemoryCheckResult::AccessGranted)
-        return true;
-    if (kmc_result == KernelMemoryCheckResult::AccessDenied)
-        return false;
     if (is_kmalloc_address(vaddr.as_ptr()))
         return true;
     return MM.validate_kernel_read(*this, vaddr, size);
@@ -2094,11 +2062,6 @@ bool Process::validate_read(const void* address, ssize_t size) const
     ASSERT(size >= 0);
     VirtualAddress first_address((u32)address);
     if (is_ring0()) {
-        auto kmc_result = check_kernel_memory_access(first_address, false);
-        if (kmc_result == KernelMemoryCheckResult::AccessGranted)
-            return true;
-        if (kmc_result == KernelMemoryCheckResult::AccessDenied)
-            return false;
         if (is_kmalloc_address(address))
             return true;
     }
@@ -2114,11 +2077,6 @@ bool Process::validate_write(void* address, ssize_t size) const
     if (is_ring0()) {
         if (is_kmalloc_address(address))
             return true;
-        auto kmc_result = check_kernel_memory_access(first_address, true);
-        if (kmc_result == KernelMemoryCheckResult::AccessGranted)
-            return true;
-        if (kmc_result == KernelMemoryCheckResult::AccessDenied)
-            return false;
     }
     if (!size)
         return false;