From 9c9fe62a4b958b5ffa4e30b8b02f6fe4233d756b Mon Sep 17 00:00:00 2001 From: Andreas Kling Date: Sat, 18 Jan 2020 14:37:22 +0100 Subject: [PATCH] Kernel: Validate the requested range in allocate_region_with_vmobject() --- Kernel/Process.cpp | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/Kernel/Process.cpp b/Kernel/Process.cpp index 1dd119ecf5..bcd59a775d 100644 --- a/Kernel/Process.cpp +++ b/Kernel/Process.cpp @@ -194,6 +194,19 @@ Region* Process::allocate_file_backed_region(VirtualAddress vaddr, size_t size, Region* Process::allocate_region_with_vmobject(VirtualAddress vaddr, size_t size, NonnullRefPtr vmobject, size_t offset_in_vmobject, const String& name, int prot, bool user_accessible) { + size_t end_in_vmobject = offset_in_vmobject + size; + if (end_in_vmobject < offset_in_vmobject) { + dbgprintf("allocate_region_with_vmobject: Overflow (offset + size)\n"); + return nullptr; + } + if (offset_in_vmobject >= vmobject->size()) { + dbgprintf("allocate_region_with_vmobject: Attempt to allocate a region with an offset past the end of its VMObject.\n"); + return nullptr; + } + if (end_in_vmobject > vmobject->size()) { + dbgprintf("allocate_region_with_vmobject: Attempt to allocate a region with an end past the end of its VMObject.\n"); + return nullptr; + } auto range = allocate_range(vaddr, size); if (!range.is_valid()) return nullptr; @@ -666,7 +679,6 @@ int Process::do_exec(NonnullRefPtr main_program_description, Ve { ASSERT(is_ring3()); auto path = main_program_description->absolute_path(); - dbgprintf("%s(%d) do_exec(%s): thread_count() = %d\n", m_name.characters(), m_pid, path.characters(), thread_count()); // FIXME(Thread): Kill any threads the moment we commit to the exec(). if (thread_count() != 1) {