mirror of
https://github.com/RGBCube/serenity
synced 2025-07-25 04:07:44 +00:00
Kernel: Assert that copy_to/from_user() are called with user addresses
This will panic the kernel immediately if these functions are misused so we can catch it and fix the misuse. This patch fixes a couple of misuses: - create_signal_trampolines() writes to a user-accessible page above the 3GB address mark. We should really get rid of this page but that's a whole other thing. - CoW faults need to use copy_from_user rather than copy_to_user since it's the *source* pointer that points to user memory. - Inode faults need to use memcpy rather than copy_to_user since we're copying a kernel stack buffer into a quickmapped page. This should make the copy_to/from_user() functions slightly less useful for exploitation. Before this, they were essentially just glorified memcpy() with SMAP disabled. :^)
This commit is contained in:
parent
2cd212e5df
commit
f7b394e9a1
6 changed files with 33 additions and 15 deletions
|
@ -424,7 +424,7 @@ PageFaultResponse Region::handle_cow_fault(size_t page_index_in_region)
|
|||
#ifdef PAGE_FAULT_DEBUG
|
||||
dbgprintf(" >> COW P%p <- P%p\n", physical_page->paddr().get(), physical_page_to_copy->paddr().get());
|
||||
#endif
|
||||
copy_to_user(dest_ptr, src_ptr, PAGE_SIZE);
|
||||
copy_from_user(dest_ptr, src_ptr, PAGE_SIZE);
|
||||
vmobject_physical_page_entry = move(physical_page);
|
||||
MM.unquickmap_page();
|
||||
set_should_cow(page_index_in_region, false);
|
||||
|
@ -481,7 +481,7 @@ PageFaultResponse Region::handle_inode_fault(size_t page_index_in_region)
|
|||
}
|
||||
|
||||
u8* dest_ptr = MM.quickmap_page(*vmobject_physical_page_entry);
|
||||
copy_to_user(dest_ptr, page_buffer, PAGE_SIZE);
|
||||
memcpy(dest_ptr, page_buffer, PAGE_SIZE);
|
||||
MM.unquickmap_page();
|
||||
|
||||
remap_page(page_index_in_region);
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue