From 9dffcc9752d7e6a4337f3ef500683ace9f0047da Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Tue, 28 Dec 2021 19:25:14 +0100
Subject: [PATCH] Kernel: VERIFY that addresses passed to kfree_sized() look
 valid

Let's do some simple pointer arithmetic to verify that the address being
freed is at least within one of the two valid kmalloc VM ranges.
---
 Kernel/Heap/kmalloc.cpp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/Kernel/Heap/kmalloc.cpp b/Kernel/Heap/kmalloc.cpp
index a26923b4c1..71aacb04f1 100644
--- a/Kernel/Heap/kmalloc.cpp
+++ b/Kernel/Heap/kmalloc.cpp
@@ -186,6 +186,7 @@ struct KmallocGlobalData {
     void deallocate(void* ptr, size_t size)
     {
         VERIFY(!expansion_in_progress);
+        VERIFY(is_valid_kmalloc_address(VirtualAddress { ptr }));
 
         for (auto& slabheap : slabheaps) {
             if (size <= slabheap.slab_size())
@@ -298,6 +299,17 @@ struct KmallocGlobalData {
     };
     Optional<ExpansionData> expansion_data;
 
+    bool is_valid_kmalloc_address(VirtualAddress vaddr) const
+    {
+        if (vaddr.as_ptr() >= initial_kmalloc_memory && vaddr.as_ptr() < (initial_kmalloc_memory + INITIAL_KMALLOC_MEMORY_SIZE))
+            return true;
+
+        if (!expansion_data.has_value())
+            return false;
+
+        return expansion_data->virtual_range.contains(vaddr);
+    }
+
     KmallocSubheap::List subheaps;
 
     KmallocSlabheap slabheaps[6] = { 16, 32, 64, 128, 256, 512 };