Kernel: Assert that copy_to/from_user() are called with user addresses

This will panic the kernel immediately if these functions are misused so we can catch it and fix the misuse. This patch fixes a couple of misuses: - create_signal_trampolines() writes to a user-accessible page above the 3GB address mark. We should really get rid of this page but that's a whole other thing. - CoW faults need to use copy_from_user rather than copy_to_user since it's the *source* pointer that points to user memory. - Inode faults need to use memcpy rather than copy_to_user since we're copying a kernel stack buffer into a quickmapped page. This should make the copy_to/from_user() functions slightly less useful for exploitation. Before this, they were essentially just glorified memcpy() with SMAP disabled. :^)
2025-07-26 04:57:44 +00:00 · 2020-01-19 09:14:14 +01:00 · 2020-01-19 09:14:14 +01:00 · f7b394e9a1
commit f7b394e9a1
parent 2cd212e5df
6 changed files with 33 additions and 15 deletions
--- a/Kernel/VM/MemoryManager.h
+++ b/Kernel/VM/MemoryManager.h
@ -214,3 +214,10 @@ inline bool is_user_address(VirtualAddress vaddr)
 {
    return vaddr.get() < 0xc0000000;
 }
+
+inline bool is_user_range(VirtualAddress vaddr, size_t size)
+{
+    if (vaddr.offset(size) < vaddr)
+        return false;
+    return is_user_address(vaddr) && is_user_address(vaddr.offset(size));
+}