RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 22:18:12 +00:00
Code Issues Activity Actions

Kernel: Fix buffer overflow in VirtIOGPU create_3d_resource(..)

Browse source 
This code attempts to copy the `Protocol::Resource3DSpecification`
struct into request, starting at `Protocol::ResourceCreate3D::target`
member of the `Protocol::ResourceCreate3D` struct.

The problem is that the `Protocol::Resource3DSpecification` struct
does not having the trailing `u32 padding` that the `ResourceCreate3D`
struct has. Leading to memcopy overrunning the struct and corrupting
32 bits of data trailing the struct.

Found by SonarCloud:
 - Memory copy function overflows the destination buffer.
This commit is contained in:
Brian Gianforcaro 2022-03-13 20:07:31 -07:00 committed by Andreas Kling
parent af50895fa3
commit c0ed656c94
3 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Kernel/Graphics/VirtIOGPU/GPU3DDevice.cpp
View file

@ -114,7 +114,8 @@ ErrorOr<void> GPU3DDevice::ioctl(OpenFileDescription& description, unsigned requ
.array_size = spec.array_size,
.last_level = spec.last_level,
.nr_samples = spec.nr_samples,
.flags = spec.flags
.flags = spec.flags,
.padding = 0,
};
MutexLocker locker(m_graphics_adapter.operation_lock());
auto resource_id = m_graphics_adapter.create_3d_resource(resource_spec).value();