1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-10 08:17:35 +00:00
Commit graph

3011 commits

Author SHA1 Message Date
Andreas Kling
200459d644 Kernel: Fix SMAP violation in join_thread() 2020-01-08 15:21:05 +01:00
Andreas Kling
fe1bf067b8 ProcFS: Reads past the end of a generated file should be zero-length 2020-01-08 12:59:06 +01:00
Andreas Kling
28ee5b0e98 TmpFS: Reads past the end of a file should be zero-length 2020-01-08 12:47:41 +01:00
Andreas Kling
50056d1d84 Kernel: mmap() should fail with ENODEV for directories 2020-01-08 12:47:37 +01:00
Andreas Kling
372f9e9a11 Kernel: Enable SMAP protection on IRQ and exception entry
It would be nice to do this in the assembly code, but we have to check
if the feature is available before doing a CLAC, so I've put this in
the C++ code for now.
2020-01-08 10:37:53 +01:00
Andreas Kling
fe9680f0a4 Kernel: Validate PROT_READ and PROT_WRITE against underlying file
This patch fixes some issues with the mmap() and mprotect() syscalls,
neither of whom were checking the permission bits of the underlying
files when mapping an inode MAP_SHARED.

This made it possible to subvert execution of any running program
by simply memory-mapping its executable and replacing some of the code.

Test: Kernel/mmap-write-into-running-programs-executable-file.cpp
2020-01-07 19:32:32 +01:00
Andreas Kling
faf32153f6 Kernel: Take const Process& in InodeMetadata::may_{read,write,execute} 2020-01-07 19:24:06 +01:00
Andreas Kling
5387a19268 Kernel: Make Process::file_description() vend a RefPtr<FileDescription>
This encourages callers to strongly reference file descriptions while
working with them.

This fixes a use-after-free issue where one thread would close() an
open fd while another thread was blocked on it becoming readable.

Test: Kernel/uaf-close-while-blocked-in-read.cpp
2020-01-07 15:53:42 +01:00
Andreas Kling
a49d9c774f TmpFS: Add ASSERT(offset >= 0) to read_bytes() and write_bytes() 2020-01-07 15:25:56 +01:00
Andreas Kling
6a4b376021 Kernel: Validate ftruncate(fd, length) syscall inputs
- EINVAL if 'length' is negative
- EBADF if 'fd' is not open for writing
2020-01-07 14:48:43 +01:00
Andreas Kling
bb9db9d430 TmpFS: Add "." and ".." entries to all directories
It was so weird not seeing them in "ls -la" output :^)
2020-01-07 14:48:43 +01:00
Andreas Kling
56a2c21e0c Kernel: Don't leak kmalloc pointers through FIFO absolute paths
Instead of using the FIFO's memory address as part of its absolute path
identity, just use an incrementing FIFO index instead.

Note that this is not used for anything other than debugging (it helps
you identify which file descriptors refer to the same FIFO by looking
at /proc/PID/fds
2020-01-07 10:29:47 +01:00
Andreas Kling
5646a95161 Kernel: Make Socket::absolute_path() pure virtual
This is overridden by all subclasses, so can just be pure virtual.
2020-01-07 10:24:45 +01:00
Andreas Kling
78a63930cc Kernel+LibELF: Validate PT_LOAD and PT_TLS offsets before memcpy()'ing
Before this, you could make the kernel copy memory from anywhere by
setting up an ELF executable with a program header specifying file
offsets outside the file.

Since ELFImage didn't even know how large it was, we had no clue that
we were copying things from outside the ELF.

Fix this by adding a size field to ELFImage and validating program
header ranges before memcpy()'ing to them.

The ELF code is definitely going to need more validation and checking.
2020-01-06 21:04:57 +01:00
Andreas Kling
8088fa0556 Kernel: Process::send_signal() should prefer main thread
The main/first thread in a process always has the same TID as the PID.
2020-01-06 14:37:26 +01:00
Andreas Kling
a803312eb4 Kernel: Send SIGCHLD to the thread with same PID as my PPID
Instead of delivering SIGCHLD to "any thread" in the process with PPID,
send it to the thread with the same TID as my PPID.
2020-01-06 14:35:42 +01:00
Andreas Kling
cd42ccd686 Kernel: The waitpid() syscall was not storing to "wstatus" in all cases 2020-01-06 14:34:04 +01:00
Andreas Kling
0e6ea49410 Kernel: Fix SMAP violation when doing a crash dump 2020-01-06 14:26:47 +01:00
Andreas Kling
8e7420ddf2 Kernel: Harden memory mapping of the kernel image
We now map the kernel's text and rodata segments read+execute.
We also make the data and bss segments non-executable.

Thanks to q3k for the idea! :^)
2020-01-06 13:55:39 +01:00
Andreas Kling
47cc3e68c6 Kernel: Remove bogus kernel image access validation checks
This code had been misinterpreting the Multiboot ELF section headers
since the beginning. Furthermore QEMU wasn't even passing us any
headers at all, so this wasn't checking anything.
2020-01-06 13:27:14 +01:00
Andreas Kling
99f71a9a2c Kernel: Randomize the stack canary on startup 2020-01-06 13:05:40 +01:00
Andreas Kling
0614c3dd3c Kernel: Build the kernel as a position-independent executable
This is a prerequisite for KASLR, which we should eventually be doing.
2020-01-06 13:04:11 +01:00
Andreas Kling
53bda09d15 Kernel: Make utime() take path+length, remove SmapDisabler 2020-01-06 12:23:30 +01:00
Andreas Kling
1226fec19e Kernel: Remove SmapDisablers in stat() and lstat() 2020-01-06 12:13:48 +01:00
Andreas Kling
08cfcb888c Kernel: Add KResult::error() to make it look symmetrical with KResultOr 2020-01-06 12:08:27 +01:00
Andreas Kling
a47f0c93de Kernel: Pass name+length to mmap() and remove SmapDisabler 2020-01-06 12:04:55 +01:00
Andreas Kling
33025a8049 Kernel: Pass name+length to set_mmap_name() and remove SmapDisabler 2020-01-06 11:56:59 +01:00
Andreas Kling
6af8392cf8 Kernel: Remove SmapDisabler in futex() 2020-01-06 11:44:15 +01:00
Andreas Kling
a30fb5c5c1 Kernel: SMAP fixes for module_load() and module_unload()
Remove SmapDisabler in module_load() + use get_syscall_path_argument().
Also fix a SMAP violation in module_unload().
2020-01-06 11:36:16 +01:00
Andreas Kling
7c916b9fe9 Kernel: Make realpath() take path+length, get rid of SmapDisabler 2020-01-06 11:32:25 +01:00
Andreas Kling
d6b06fd5a3 Kernel: Make watch_file() syscall take path length as a size_t
We don't care to handle negative path lengths anyway.
2020-01-06 11:15:49 +01:00
Andreas Kling
cf7df95ffe Kernel: Use get_syscall_path_argument() for syscalls that take paths 2020-01-06 11:15:49 +01:00
Andreas Kling
0df72d4712 Kernel: Pass path+length to mkdir(), rmdir() and chmod() 2020-01-06 11:15:49 +01:00
Andreas Kling
642137f014 Kernel: Make access() take path+length
Also, let's return EFAULT for nullptr at the LibC layer. We can't do
all bad addresses this way, but we can at least do null. :^)
2020-01-06 11:15:48 +01:00
Shannon Booth
ad4284428a Meta: Allow sync.sh to be run from any directory
I often keep my terminal camped in the project root directory and run
`make && ./Kernel/sync.sh && ./Kernel/run`

This change allows me to not feel like a doofus when I do that :^)
2020-01-06 10:43:00 +01:00
Andreas Kling
2c3a6c37ac Kernel: Paper over SMAP violations in clock_{gettime,nanosleep}()
Just put some SmapDisablers here to unbreak the nesalizer port.
2020-01-05 23:20:33 +01:00
Andreas Kling
c5890afc8b Kernel: Make chdir() take path+length 2020-01-05 22:06:25 +01:00
Andreas Kling
f231e9ea76 Kernel: Pass path+length to the stat() and lstat() syscalls
It's not pleasant having to deal with null-terminated strings as input
to syscalls, so let's get rid of them one by one.
2020-01-05 22:02:54 +01:00
Andreas Kling
152a83fac5 Kernel: Remove SmapDisabler in watch_file() 2020-01-05 21:55:20 +01:00
Andreas Kling
80cbb72f2f Kernel: Remove SmapDisablers in open(), openat() and set_thread_name()
This patch introduces a helpful copy_string_from_user() function
that takes a bounded null-terminated string from userspace memory
and copies it into a String object.
2020-01-05 21:51:06 +01:00
Andreas Kling
c4a1ea34c2 Kernel: Fix SMAP violation in writev() syscall 2020-01-05 19:20:08 +01:00
Andreas Kling
f6691ad26e Kernel: Fix SMAP violation in thread signal dispatch 2020-01-05 18:19:26 +01:00
Andreas Kling
9eef39d68a Kernel: Start implementing x86 SMAP support
Supervisor Mode Access Prevention (SMAP) is an x86 CPU feature that
prevents the kernel from accessing userspace memory. With SMAP enabled,
trying to read/write a userspace memory address while in the kernel
will now generate a page fault.

Since it's sometimes necessary to read/write userspace memory, there
are two new instructions that quickly switch the protection on/off:
STAC (disables protection) and CLAC (enables protection.)
These are exposed in kernel code via the stac() and clac() helpers.

There's also a SmapDisabler RAII object that can be used to ensure
that you don't forget to re-enable protection before returning to
userspace code.

THis patch also adds copy_to_user(), copy_from_user() and memset_user()
which are the "correct" way of doing things. These functions allow us
to briefly disable protection for a specific purpose, and then turn it
back on immediately after it's done. Going forward all kernel code
should be moved to using these and all uses of SmapDisabler are to be
considered FIXME's.

Note that we're not realizing the full potential of this feature since
I've used SmapDisabler quite liberally in this initial bring-up patch.
2020-01-05 18:14:51 +01:00
Tibor Nagy
1bb98c6950 Kernel: Fix IRQ define in PS2MouseDevice 2020-01-05 10:45:30 +01:00
Andreas Kling
1525c11928 Kernel: Add missing iovec base validation for writev() syscall
We were forgetting to validate the base pointers of iovecs passed into
the writev() syscall.

Thanks to braindead for finding this bug! :^)
2020-01-05 10:38:02 +01:00
Andreas Kling
c89fe8a6a3 Kernel: Fix bad TOCTOU pattern in syscalls that take a parameter struct
Our syscall calling convention only allows passing up to 3 arguments in
registers. For syscalls that take more arguments, we bake them into a
struct and pass a pointer to that struct instead.

When doing pointer validation, this is what we would do:

    1) Validate the "params" struct
    2) Validate "params->some_pointer"
    3) ... other stuff ...
    4) Use "params->some_pointer"

Since the parameter struct is stored in userspace, it can be modified
by userspace after validation has completed.

This was a recurring pattern in many syscalls that was further hidden
by me using structured binding declarations to give convenient local
names to things in the parameter struct:

    auto& [some_pointer, ...] = *params;
    memcpy(some_pointer, ...);

This devilishly makes "some_pointer" look like a local variable but
it's actually more like an alias for "params->some_pointer" and will
expand to a dereference when accessed!

This patch fixes the issues by explicitly copying out each member from
the parameter structs before validating them, and then never using
the "param" pointers beyond that.

Thanks to braindead for finding this bug! :^)
2020-01-05 10:37:57 +01:00
Andreas Kling
d4761762f2 Kernel: Remove some unused Process members 2020-01-04 19:53:29 +01:00
Andreas Kling
3a27790fa7 Kernel: Use Thread::from_tid() in more places 2020-01-04 18:56:04 +01:00
Andreas Kling
95ba0d5a02 Kernel: Remove unused "putch" syscall 2020-01-04 16:00:25 +01:00
Andreas Kling
5abc30e057 Kernel: Allow setgroups() to drop all groups with nullptr
Previously we'd EFAULT for setgroups(0, nullptr), but we can just as
well tolerate it if someone wants to drop groups without a pointer.
2020-01-04 13:47:54 +01:00