RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 20:27:45 +00:00
Code Issues Activity Actions

Kernel: Don't dereference untrusted userspace pointer in sys$uname()

Browse source 
Instead of writing to the userspace utsname struct one field at a time,
build up a utsname on the kernel stack and copy it out to userspace
once it's finished. This is both simpler and gets validity checking
built-in for free.

Found by KUBSAN! :^)

Fixes #5499.
This commit is contained in:
Andreas Kling 2021-02-24 14:33:50 +01:00
parent 99cd0d3ffb
commit a48d54dfc5
1 changed files with 8 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

20
Kernel/Syscalls/uname.cpp
View file

@ -39,18 +39,14 @@ int Process::sys$uname(Userspace<utsname*> buf)
if (g_hostname->length() + 1 > sizeof(utsname::nodename))
return -ENAMETOOLONG;
// We have already validated the entire utsname struct at this
// point, there is no need to re-validate every write to the struct.
utsname* user_buf = buf.unsafe_userspace_ptr();
if (!copy_to_user(user_buf->sysname, "SerenityOS", 11))
return -EFAULT;
if (!copy_to_user(user_buf->release, "1.0-dev", 8))
return -EFAULT;
if (!copy_to_user(user_buf->version, "FIXME", 6))
return -EFAULT;
if (!copy_to_user(user_buf->machine, "i686", 5))
return -EFAULT;
if (!copy_to_user(user_buf->nodename, g_hostname->characters(), g_hostname->length() + 1))
utsname buf {};
memcpy(buf.sysname, "SerenityOS", 11);
memcpy(buf.release, "1.0-dev", 8);
memcpy(buf.version, "FIXME", 6);
memcpy(buf.machine, "i686", 5);
memcpy(buf.nodename, g_hostname->characters(), g_hostname->length() + 1);
if (!copy_to_user(user_buf, &buf))
return -EFAULT;
return 0;
}