RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 15:47:44 +00:00
Code Issues Activity Actions

Kernel: Stop ProcFS stack walk on bogus userspace->kernel traversal

Browse source 
Unsurprisingly, the /proc/PID/stacks/TID stack walk had the same
arbitrary memory read problem as the perf event stack walk.

It would be nice if the kernel had a single stack walk implementation,
but that's outside the scope of this commit.
This commit is contained in:
Andreas Kling 2021-12-19 18:16:15 +01:00
parent bc518e39bf
commit e0521cfb9d
1 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
Kernel/Arch/x86/common/Processor.cpp
View file

@ -471,6 +471,7 @@ Vector<FlatPtr> Processor::capture_stack_trace(Thread& thread, size_t max_frames
auto walk_stack = [&](FlatPtr stack_ptr) { auto walk_stack = [&](FlatPtr stack_ptr) {
static constexpr size_t max_stack_frames = 4096; static constexpr size_t max_stack_frames = 4096;
bool is_walking_userspace_stack = false;
stack_trace.append(ip); stack_trace.append(ip);
size_t count = 1; size_t count = 1;
while (stack_ptr && stack_trace.size() < max_stack_frames) { while (stack_ptr && stack_trace.size() < max_stack_frames) {
@ -480,6 +481,15 @@ Vector<FlatPtr> Processor::capture_stack_trace(Thread& thread, size_t max_frames
if (max_frames != 0 && count > max_frames) if (max_frames != 0 && count > max_frames)
break; break;
if (!Memory::is_user_address(VirtualAddress { stack_ptr })) {
if (is_walking_userspace_stack) {
dbgln("SHENANIGANS! Userspace stack points back into kernel memory");
break;
}
} else {
is_walking_userspace_stack = true;
}
if (Memory::is_user_range(VirtualAddress(stack_ptr), sizeof(FlatPtr) * 2)) { if (Memory::is_user_range(VirtualAddress(stack_ptr), sizeof(FlatPtr) * 2)) {
if (copy_from_user(&retaddr, &((FlatPtr*)stack_ptr)[1]).is_error() || !retaddr) if (copy_from_user(&retaddr, &((FlatPtr*)stack_ptr)[1]).is_error() || !retaddr)
break; break;