RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 08:38:12 +00:00
Code Issues Activity Actions

Kernel: Move select Process members into protected memory

Browse source 
Process member variable like m_euid are very valuable targets for
kernel exploits and until now they have been writable at all times.

This patch moves m_euid along with a whole bunch of other members
into a new Process::ProtectedData struct. This struct is remapped
as read-only memory whenever we don't need to write to it.

This means that a kernel write primitive is no longer enough to
overwrite a process's effective UID, you must first unprotect the
protected data where the UID is stored. :^)
This commit is contained in:
Andreas Kling 2021-03-10 19:59:46 +01:00
parent 839d2d70a4
commit cbcf891040
12 changed files with 190 additions and 130 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Kernel/Syscalls/profiling.cpp
View file

@ -57,7 +57,7 @@ KResultOr<int> Process::sys$profiling_enable(pid_t pid)
return ESRCH;
if (process->is_dead())
return ESRCH;
if (!is_superuser() && process->uid() != m_euid)
if (!is_superuser() && process->uid() != euid())
return EPERM;
if (!process->create_perf_events_buffer_if_needed())
return ENOMEM;
@ -79,7 +79,7 @@ KResultOr<int> Process::sys$profiling_disable(pid_t pid)
auto process = Process::from_pid(pid);
if (!process)
return ESRCH;
if (!is_superuser() && process->uid() != m_euid)
if (!is_superuser() && process->uid() != euid())
return EPERM;
if (!process->is_profiling())
return EINVAL;