From c6027ed7cce901dc0d2b6f68002a911178ae587f Mon Sep 17 00:00:00 2001
From: Ben Wiederhake <BenWiederhake.GitHub@gmx.de>
Date: Thu, 11 Feb 2021 20:38:39 +0100
Subject: [PATCH] Kernel: Refuse excessively long iovec list

If a program attempts to write from more than a million different locations,
there is likely shenaniganery afoot! Refuse to write to prevent kmem exhaustion.

Found by fuzz-syscalls. Can be reproduced by running this in the Shell:

    $ syscall writev 1 [ 0 ] 0x08000000
---
 Kernel/Syscalls/write.cpp | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/Kernel/Syscalls/write.cpp b/Kernel/Syscalls/write.cpp
index a2545d8469..b80f6c6912 100644
--- a/Kernel/Syscalls/write.cpp
+++ b/Kernel/Syscalls/write.cpp
@@ -37,12 +37,9 @@ ssize_t Process::sys$writev(int fd, Userspace<const struct iovec*> iov, int iov_
     if (iov_count < 0)
         return -EINVAL;
 
-    {
-        Checked checked_iov_count = sizeof(iovec);
-        checked_iov_count *= iov_count;
-        if (checked_iov_count.has_overflow())
-            return -EFAULT;
-    }
+    // Arbitrary pain threshold.
+    if (iov_count > (int)MiB)
+        return -EFAULT;
 
     u64 total_length = 0;
     Vector<iovec, 32> vecs;