RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 14:47:46 +00:00
Code Issues Activity Actions

Kernel: Round up ranges to page size multiples in munmap and mprotect

Browse source 
This prevents passing bad inputs to RangeAllocator who then asserts.

Found by fuzz-syscalls. :^)
This commit is contained in:
Andreas Kling 2021-02-13 00:47:47 +01:00
parent e1dbf74f15
commit 7551090056
2 changed files with 18 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

23
Kernel/Syscalls/mmap.cpp
View file

@ -160,7 +160,7 @@ void* Process::sys$mmap(Userspace<const Syscall::SC_mmap_params*> user_params)
if (alignment & ~PAGE_MASK)
return (void*)-EINVAL;
if (!is_user_range(VirtualAddress(addr), size))
if (!is_user_range(VirtualAddress(addr), PAGE_ROUND_UP(size)))
return (void*)-EFAULT;
String name;
@ -272,14 +272,14 @@ int Process::sys$mprotect(void* addr, size_t size, int prot)
REQUIRE_PROMISE(prot_exec);
}
if (!size)
Range range_to_mprotect = { VirtualAddress(addr), PAGE_ROUND_UP(size) };
if (!range_to_mprotect.size())
return -EINVAL;
if (!is_user_range(VirtualAddress(addr), size))
if (!is_user_range(range_to_mprotect))
return -EFAULT;
Range range_to_mprotect = { VirtualAddress(addr), size };
if (auto* whole_region = space().find_region_from_range(range_to_mprotect)) {
if (!whole_region->is_mmap())
return -EPERM;
@ -343,13 +343,15 @@ int Process::sys$madvise(void* address, size_t size, int advice)
{
REQUIRE_PROMISE(stdio);
if (!size)
Range range_to_madvise { VirtualAddress(address), PAGE_ROUND_UP(size) };
if (!range_to_madvise.size())
return -EINVAL;
if (!is_user_range(VirtualAddress(address), size))
if (!is_user_range(range_to_madvise))
return -EFAULT;
auto* region = space().find_region_from_range({ VirtualAddress(address), size });
auto* region = space().find_region_from_range(range_to_madvise);
if (!region)
return -EINVAL;
if (!region->is_mmap())
@ -413,10 +415,11 @@ int Process::sys$munmap(void* addr, size_t size)
if (!size)
return -EINVAL;
if (!is_user_range(VirtualAddress(addr), size))
Range range_to_unmap { VirtualAddress(addr), PAGE_ROUND_UP(size) };
if (!is_user_range(range_to_unmap))
return -EFAULT;
Range range_to_unmap { VirtualAddress(addr), size };
if (auto* whole_region = space().find_region_from_range(range_to_unmap)) {
if (!whole_region->is_mmap())
return -EPERM;

5
Kernel/VM/MemoryManager.h
View file

@ -265,6 +265,11 @@ inline bool is_user_range(VirtualAddress vaddr, size_t size)
return is_user_address(vaddr) && is_user_address(vaddr.offset(size));
}
inline bool is_user_range(const Range& range)
{
return is_user_range(range.base(), range.size());
}
inline bool PhysicalPage::is_shared_zero_page() const
{
return this == &MM.shared_zero_page();