RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 13:18:13 +00:00
Code Issues Activity Actions

Kernel: AnonymousVMObject::create_for_physical_range() should fail more

Browse source 
Previously it was not possible for this function to fail. You could
exploit this by triggering the creation of a VMObject whose physical
memory range would wrap around the 32-bit limit.

It was quite easy to map kernel memory into userspace and read/write
whatever you wanted in it.

Test: Kernel/bxvga-mmap-kernel-into-userspace.cpp
This commit is contained in:
Andreas Kling 2020-01-28 20:48:07 +01:00
parent bd059e32e1
commit c17f80e720
6 changed files with 109 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Kernel/VM/AnonymousVMObject.h
View file

@ -34,7 +34,7 @@ public:
virtual ~AnonymousVMObject() override;
static NonnullRefPtr<AnonymousVMObject> create_with_size(size_t);
static NonnullRefPtr<AnonymousVMObject> create_for_physical_range(PhysicalAddress, size_t);
static RefPtr<AnonymousVMObject> create_for_physical_range(PhysicalAddress, size_t);
static NonnullRefPtr<AnonymousVMObject> create_with_physical_page(PhysicalPage&);
virtual NonnullRefPtr<VMObject> clone() override;