RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-19 00:25:07 +00:00
Code Issues Activity Actions

Kernel: AnonymousVMObject::create_for_physical_range() should fail more

Browse source 
Previously it was not possible for this function to fail. You could
exploit this by triggering the creation of a VMObject whose physical
memory range would wrap around the 32-bit limit.

It was quite easy to map kernel memory into userspace and read/write
whatever you wanted in it.

Test: Kernel/bxvga-mmap-kernel-into-userspace.cpp
This commit is contained in:
Andreas Kling 2020-01-28 20:48:07 +01:00
parent bd059e32e1
commit c17f80e720
6 changed files with 109 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Kernel/VM/AnonymousVMObject.cpp
View file

@ -32,8 +32,12 @@ NonnullRefPtr<AnonymousVMObject> AnonymousVMObject::create_with_size(size_t size
return adopt(*new AnonymousVMObject(size));
}
NonnullRefPtr<AnonymousVMObject> AnonymousVMObject::create_for_physical_range(PhysicalAddress paddr, size_t size)
RefPtr<AnonymousVMObject> AnonymousVMObject::create_for_physical_range(PhysicalAddress paddr, size_t size)
{
if (paddr.offset(size) < paddr) {
dbg() << "Shenanigans! create_for_physical_range(" << paddr << ", " << size << ") would wrap around";
return nullptr;
}
return adopt(*new AnonymousVMObject(paddr, size));
}