RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-10-31 06:02:44 +00:00
Code Issues Activity Actions

Kernel: sys$munmap() region splitting did not preserve "shared" flag

Browse source 
This was exploitable since the shared flag determines whether inode
permission checks are applied in sys$mprotect().

The bug was pretty hard to spot due to default arguments being used
instead. This patch removes the default arguments to make explicit
at each call site what's being done.
This commit is contained in:
Andreas Kling 2021-01-26 16:56:34 +01:00
parent e7183cc762
commit a131927c75
4 changed files with 9 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Kernel/VM/MemoryManager.cpp
View file

@ -454,7 +454,7 @@ OwnPtr<Region> MemoryManager::allocate_kernel_region_with_vmobject(const Range&
ScopedSpinLock lock(s_mm_lock);
OwnPtr<Region> region;
if (user_accessible)
region = Region::create_user_accessible(nullptr, range, vmobject, 0, name, access, cacheable);
region = Region::create_user_accessible(nullptr, range, vmobject, 0, name, access, cacheable, false);
else
region = Region::create_kernel_only(range, vmobject, 0, name, access, cacheable);
if (region)