RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 12:38:12 +00:00
Code Issues Activity Actions

Kernel: Move select Process members into protected memory

Browse source 
Process member variable like m_euid are very valuable targets for
kernel exploits and until now they have been writable at all times.

This patch moves m_euid along with a whole bunch of other members
into a new Process::ProtectedData struct. This struct is remapped
as read-only memory whenever we don't need to write to it.

This means that a kernel write primitive is no longer enough to
overwrite a process's effective UID, you must first unprotect the
protected data where the UID is stored. :^)
This commit is contained in:
Andreas Kling 2021-03-10 19:59:46 +01:00
parent 839d2d70a4
commit cbcf891040
12 changed files with 190 additions and 130 deletions
Download patch file Download diff file Expand all files Collapse all files

13
Kernel/Syscalls/getuid.cpp
View file

@ -31,31 +31,31 @@ namespace Kernel {
KResultOr<uid_t> Process::sys$getuid()
{
REQUIRE_PROMISE(stdio);
return m_uid;
return uid();
}
KResultOr<gid_t> Process::sys$getgid()
{
REQUIRE_PROMISE(stdio);
return m_gid;
return gid();
}
KResultOr<uid_t> Process::sys$geteuid()
{
REQUIRE_PROMISE(stdio);
return m_euid;
return euid();
}
KResultOr<gid_t> Process::sys$getegid()
{
REQUIRE_PROMISE(stdio);
return m_egid;
return egid();
}
KResultOr<int> Process::sys$getresuid(Userspace<uid_t*> ruid, Userspace<uid_t*> euid, Userspace<uid_t*> suid)
{
REQUIRE_PROMISE(stdio);
if (!copy_to_user(ruid, &m_uid) || !copy_to_user(euid, &m_euid) || !copy_to_user(suid, &m_suid))
if (!copy_to_user(ruid, &protected_data().uid) || !copy_to_user(euid, &protected_data().euid) || !copy_to_user(suid, &protected_data().suid))
return EFAULT;
return 0;
}
@ -63,7 +63,7 @@ KResultOr<int> Process::sys$getresuid(Userspace<uid_t*> ruid, Userspace<uid_t*>
KResultOr<int> Process::sys$getresgid(Userspace<gid_t*> rgid, Userspace<gid_t*> egid, Userspace<gid_t*> sgid)
{
REQUIRE_PROMISE(stdio);
if (!copy_to_user(rgid, &m_gid) || !copy_to_user(egid, &m_egid) || !copy_to_user(sgid, &m_sgid))
if (!copy_to_user(rgid, &protected_data().gid) || !copy_to_user(egid, &protected_data().egid) || !copy_to_user(sgid, &protected_data().sgid))
return EFAULT;
return 0;
}
@ -80,6 +80,7 @@ KResultOr<int> Process::sys$getgroups(ssize_t count, Userspace<gid_t*> user_gids
if (!copy_to_user(user_gids, m_extra_gids.data(), sizeof(gid_t) * count))
return EFAULT;
return 0;
}