1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-30 21:38:11 +00:00
Commit graph

430 commits

Author SHA1 Message Date
Ben Wiederhake
2b6546c40a Kernel: Make Thread use AK::Time internally
This commit is very invasive, because Thread likes to take a pointer and write
to it. This means that translating between timespec/timeval/Time would have been
more difficult than just changing everything that hands a raw pointer to Thread,
in bulk.
2021-03-02 08:36:08 +01:00
Ben Wiederhake
8598240193 Kernel: Sanitize all user-supplied timeval's/timespec's
This also removes a bunch of unnecessary EINVAL. Most of them weren't even
recommended by POSIX.
2021-03-02 08:36:08 +01:00
Andreas Kling
4d006de2b9 Kernel: Fix build with IO_DEBUG 2021-03-01 16:07:50 +01:00
Andreas Kling
272c2e6ec5 Kernel: Use Userspace<T> in sys${munmap,mprotect,madvise,msyscall}() 2021-03-01 15:53:33 +01:00
Andreas Kling
bebceaa32c Kernel: Use Userspace<T> in sys$select() 2021-03-01 15:07:01 +01:00
Andreas Kling
a1a82c1d95 Kernel: Use Userspace<T> in sys$get_dir_entries() 2021-03-01 15:04:31 +01:00
Andreas Kling
b5f32be577 Kernel: Use Userspace<T> in sys$get_stack_bounds() 2021-03-01 14:50:36 +01:00
Andreas Kling
122c7b6cbb Kernel: Use Userspace<T> in sys$write() 2021-03-01 14:35:06 +01:00
Andreas Kling
6a6eb8844a Kernel: Use Userspace<T> in sys$sigaction()
fuzz-syscalls found a bunch of unaligned accesses into struct sigaction
via this syscall. This patch fixes that issue by porting the syscall
to Userspace<T> which we should have done anyway. :^)

Fixes #5500.
2021-03-01 14:06:20 +01:00
Andreas Kling
ac71775de5 Kernel: Make all syscall functions return KResultOr<T>
This makes it a lot easier to return errors since we no longer have to
worry about negating EFOO errors and can just return them flat.
2021-03-01 13:54:32 +01:00
Andreas Kling
4aa58aaab5 Kernel: Don't disable interrupts while exiting a thread or process
This was another vestige from a long time ago, when exiting a thread
would mutate global data structures that were only protected by the
interrupt flag.
2021-02-25 19:36:36 +01:00
Andreas Kling
8eeb8db2ed Kernel: Don't disable interrupts while dealing with a process crash
This was necessary in the past when crash handling would modify
various global things, but all that stuff is long gone so we can
simplify crashes by leaving the interrupt flag alone.
2021-02-25 19:36:36 +01:00
Andreas Kling
8129f3da52 Kernel: Move SMAP disabler RAII helper to its own file
Added this in a new directory called Kernel/Arch/x86/ where stuff
that applies to both i386 and x86_64 can live.
2021-02-25 17:25:34 +01:00
Andreas Kling
8f70528f30 Kernel: Take some baby steps towards x86_64
Make more of the kernel compile in 64-bit mode, and make some things
pointer-size-agnostic (by using FlatPtr.)

There's a lot of work to do here before the kernel will even compile.
2021-02-25 16:27:12 +01:00
Andreas Kling
c11511a0ab Kernel: Move sys$sigaction() implementation inside ARCH(i386) 2021-02-25 11:33:06 +01:00
Andreas Kling
53c6c29158 Kernel: Tighten some typing in Arch/i386/CPU.h
Use more appropriate types for some things.
2021-02-25 11:32:27 +01:00
Brian Gianforcaro
303620ea85 Kernel: Fix pointer overflow in create_thread
KUBSAN found this overflow from syscall fuzzing.

Fixes #5498
2021-02-24 15:14:13 +01:00
Andreas Kling
ce1775d81d Kernel: Oops, fix broken sys$uname() function definition 2021-02-24 14:42:38 +01:00
Andreas Kling
a48d54dfc5 Kernel: Don't dereference untrusted userspace pointer in sys$uname()
Instead of writing to the userspace utsname struct one field at a time,
build up a utsname on the kernel stack and copy it out to userspace
once it's finished. This is both simpler and gets validity checking
built-in for free.

Found by KUBSAN! :^)

Fixes #5499.
2021-02-24 14:37:36 +01:00
Andreas Kling
5d180d1f99 Everywhere: Rename ASSERT => VERIFY
(...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED)

Since all of these checks are done in release builds as well,
let's rename them to VERIFY to prevent confusion, as everyone is
used to assertions being compiled out in release.

We can introduce a new ASSERT macro that is specifically for debug
checks, but I'm doing this wholesale conversion first since we've
accumulated thousands of these already, and it's not immediately
obvious which ones are suitable for ASSERT.
2021-02-23 20:56:54 +01:00
Brian Gianforcaro
d934e77522 Kernel: Use copy_n_from_user in sys$setgroups to check for overflow 2021-02-21 17:12:01 +01:00
Brian Gianforcaro
4743afeaf4 Kernel: Use already computed nfds_checked value when copying from user mode.
- We've already computed the number of fds * sizeof(pollfd), so use it
  instead of needlessly doing it again.

- Use fds_copy.data() instead off address of indexing the vector.
2021-02-21 17:12:01 +01:00
Brian Gianforcaro
1c0e2947d7 Kernel: Use copy_n_from_user in sys$setkeymap 2021-02-21 17:12:01 +01:00
Brian Gianforcaro
26bba8e100 Kernel: Populate ELF::AuxilaryValue::Platform from Processor object.
Move this to the processor object so it can easily be implemented
when Serenity is compiled for a different architecture.
2021-02-21 17:06:24 +01:00
Brian Gianforcaro
a977cdd9ac Kernel: Remove unneeded Thread::set_default_signal_dispositions
The `default_signal_action(u8 signal)` function already has the
full mapping. The only caveat being that now we need to make
sure the thread constructor and clear_signals() method do the work
of resetting the m_signal_action_data array, instead or relying on
the previous logic in set_default_signal_dispositions.
2021-02-21 12:54:39 +01:00
Andreas Kling
84b2d4c475 Kernel: Add "map_fixed" pledge promise
This is a new promise that guards access to mmap() with MAP_FIXED.

Fixed-address mappings are rarely used, but can be useful if you are
trying to groom the process address space for malicious purposes.

None of our programs need this at the moment, as the only user of
MAP_FIXED is DynamicLoader, but the fixed mappings are constructed
before the process has had a chance to pledge anything.
2021-02-21 01:08:48 +01:00
Andreas Kling
6e83be67b8 Kernel: Release ptrace lock in exec before stopping due to PT_TRACE_ME
If we have a tracer process waiting for us to exec, we need to release
the ptrace lock before stopping ourselves, since otherwise the tracer
will block forever on the lock.

Fixes #5409.
2021-02-19 12:13:54 +01:00
Andreas Kling
eb92ec3149 Kernel: Factor out mmap & friends range expansion to a helper function
sys$mmap() and related syscalls must pad to the nearest page boundary
below the base address *and* above the end address of the specified
range. Since we have to do this in many places, let's make a helper.
2021-02-18 18:04:58 +01:00
Andreas Kling
55a9a4f57a Kernel: Use KResult a bit more in sys$execve() 2021-02-18 09:37:33 +01:00
Andreas Kling
5a595ef134 Kernel: Use dbgln_if() in sys$fork() 2021-02-17 15:34:32 +01:00
Andreas Kling
575c7ed414 Kernel: Make sys$msyscall() EFAULT on non-user address
Fixes #5361.
2021-02-16 11:32:00 +01:00
Ben Wiederhake
fbb85f9b2f Kernel: Refuse excessively long iovec list, also in readv
This bug is a good example why copy-paste code should eventually be eliminated
from the code base: Apparently the code was copied from read.cpp before
c6027ed7cc, so the same bug got introduced here.

To recap: A malicious program can ask the Kernel to prepare sys-ing to
a huge amount of iovecs. The Kernel must first copy all the vector locations
into 'vecs', and before that allocates an arbitrary amount of memory:
    vecs.resize(iov_count);
This can cause Kernel memory exhaustion, triggered by any malicious userland
program.
2021-02-15 22:09:01 +01:00
AnotherTest
4519950266 Kernel+LibC: Add the _SC_GETPW_R_SIZE_MAX sysconf enum
It just returns 4096 :P
2021-02-15 17:32:56 +01:00
AnotherTest
a3a7ab83c4 Kernel+LibC: Implement readv
We already had writev, so let's just add readv too.
2021-02-15 17:32:56 +01:00
Andreas Kling
68e3616971 Kernel: Forked children should inherit the signal trampoline address
Fixes #5347.
2021-02-14 18:38:46 +01:00
Andreas Kling
6ee499aeb0 Kernel: Round old address/size in sys$mremap() to page size multiples
Found by fuzz-syscalls. :^)
2021-02-14 13:15:05 +01:00
Andreas Kling
e47bffdc8c Kernel: Add some bits of randomness to the userspace stack pointer
This patch adds a random offset between 0 and 4096 to the initial
stack pointer in new processes. Since the stack has to be 16-byte
aligned, the bottom bits can't be randomized.

Yet another thing to make things less predictable. :^)
2021-02-14 11:53:49 +01:00
Andreas Kling
4188373020 Kernel: Fix TOCTOU in syscall entry region validation
We were doing stack and syscall-origin region validations before
taking the big process lock. There was a window of time where those
regions could then be unmapped/remapped by another thread before we
proceed with our syscall.

This patch closes that window, and makes sys$get_stack_bounds() rely
on the fact that we now know the userspace stack pointer to be valid.

Thanks to @BenWiederhake for spotting this! :^)
2021-02-14 11:47:14 +01:00
Ben Wiederhake
c0692f1f95 Kernel: Avoid magic number in sys$poll 2021-02-14 10:57:33 +01:00
Andreas Kling
cc341c95aa Kernel: Panic on sys$get_stack_bounds() in stack-less process 2021-02-14 10:51:18 +01:00
Andreas Kling
781d29a337 Kernel+Userland: Give sys$recvfd() an options argument for O_CLOEXEC
@bugaevc pointed out that we shouldn't be setting this flag in
userspace, and he's right of course.
2021-02-14 10:39:48 +01:00
Andreas Kling
09b1b09c19 Kernel: Assert if rounding-up-to-page-size would wrap around to 0
If we try to align a number above 0xfffff000 to the next multiple of
the page size (4 KiB), it would wrap around to 0. This is most likely
never what we want, so let's assert if that happens.
2021-02-14 10:01:50 +01:00
Andreas Kling
1593219a41 Kernel: Map signal trampoline into each process's address space
The signal trampoline was previously in kernelspace memory, but with
a special exception to make it user-accessible.

This patch moves it into each process's regular address space so we
can stop supporting user-allowed memory above 0xc0000000.
2021-02-14 01:33:17 +01:00
Andreas Kling
ffdfbf1dba Kernel: Fix wrong sizeof() type in sys$execve() argument overflow check 2021-02-14 00:15:01 +01:00
Andreas Kling
c877612211 Kernel: Round down base of partial ranges provided to munmap/mprotect
We were failing to round down the base of partial VM ranges. This led
to split regions being constructed that could have a non-page-aligned
base address. This would then trip assertions in the VM code.

Found by fuzz-syscalls. :^)
2021-02-13 01:49:44 +01:00
Andreas Kling
62f0f73bf0 Kernel: Limit the number of file descriptors sys$poll() can handle
Just slap an arbitrary limit on there so we don't panic if somebody
asks us to poll 1 fajillion fds.

Found by fuzz-syscalls. :^)
2021-02-13 01:18:03 +01:00
Andreas Kling
7551090056 Kernel: Round up ranges to page size multiples in munmap and mprotect
This prevents passing bad inputs to RangeAllocator who then asserts.

Found by fuzz-syscalls. :^)
2021-02-13 01:18:03 +01:00
Ben Wiederhake
546cdde776 Kernel: clock_nanosleep's 'flags' is not a bitset
This had the interesting effect that most, but not all, non-zero values
were interpreted as an absolute value.
2021-02-13 00:40:31 +01:00
Ben Wiederhake
e1db8094b6 Kernel: Avoid casting arbitrary user-controlled int to enum
This caused a load-invalid-value warning by KUBSan.

Found by fuzz-syscalls. Can be reproduced by running this in the Shell:

    $ syscall waitid [ 1234 ]
2021-02-13 00:40:31 +01:00
Ben Wiederhake
c6027ed7cc Kernel: Refuse excessively long iovec list
If a program attempts to write from more than a million different locations,
there is likely shenaniganery afoot! Refuse to write to prevent kmem exhaustion.

Found by fuzz-syscalls. Can be reproduced by running this in the Shell:

    $ syscall writev 1 [ 0 ] 0x08000000
2021-02-13 00:40:31 +01:00