RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 01:27:42 +00:00
Code Issues Activity Actions
serenity/Kernel
History
Andreas Kling c89fe8a6a3 Kernel: Fix bad TOCTOU pattern in syscalls that take a parameter struct 
Our syscall calling convention only allows passing up to 3 arguments in
registers. For syscalls that take more arguments, we bake them into a
struct and pass a pointer to that struct instead.

When doing pointer validation, this is what we would do:

    1) Validate the "params" struct
    2) Validate "params->some_pointer"
    3) ... other stuff ...
    4) Use "params->some_pointer"

Since the parameter struct is stored in userspace, it can be modified
by userspace after validation has completed.

This was a recurring pattern in many syscalls that was further hidden
by me using structured binding declarations to give convenient local
names to things in the parameter struct:

    auto& [some_pointer, ...] = *params;
    memcpy(some_pointer, ...);

This devilishly makes "some_pointer" look like a local variable but
it's actually more like an alias for "params->some_pointer" and will
expand to a dereference when accessed!

This patch fixes the issues by explicitly copying out each member from
the parameter structs before validating them, and then never using
the "param" pointers beyond that.

Thanks to braindead for finding this bug! :^)
2020-01-05 10:37:57 +01:00
..
ACPI Kernel: Create a basic SMBIOS Decoder 2020-01-02 00:50:09 +01:00
Arch/i386 Kernel: Add a more expressive API for getting random bytes 2020-01-03 12:43:07 +01:00
Devices Kernel: Add a more expressive API for getting random bytes 2020-01-03 12:43:07 +01:00
FileSystem Kernel: Entries in /dev/pts should be accessible only to the owner 2020-01-04 12:46:48 +01:00
Heap Kernel: Demangle userspace ELF symbols in backtraces 2019-11-27 14:06:24 +01:00
Net Kernel: Make LocalSocket pre-bind GID be gid_t (#1012) 2020-01-04 10:05:01 +01:00
PCI Kernel: Fixing PCI MMIO access mechanism 2020-01-02 21:45:04 +01:00
TTY Kernel: File::open() should apply r/w mode from the provided options 2020-01-04 12:30:55 +01:00
VM Kernel: InodeVMObject can't call Inode::size() with interrupts disabled 2020-01-03 15:40:03 +01:00
.bochsrc Meta: Make Serenity run on Bochs once again 2019-08-06 21:09:24 +02:00
.gitignore Meta: Removed all gitignore in the source tree only keeping the root one 2019-06-30 10:41:26 +02:00
Assertions.h Kernel: Move i386.{cpp,h} => Arch/i386/CPU.{cpp,h} 2019-06-07 20:02:01 +02:00
build-gpt-image-grub.sh Build: Fix more bugs in the POSIX sh-ification of scripts 2019-11-03 13:11:43 +01:00
build-image-grub.sh Build: Bump the default disk image size from 500MB to 600MB 2019-11-26 12:54:33 +01:00
build-image-qemu.sh Build: add support for building on OpenBSD 2020-01-02 21:03:53 +01:00
build-root-filesystem.sh Base: Only allow members of the "wheel" group to use /bin/su 2020-01-04 13:35:25 +01:00
CMOS.cpp AK: Rename the common integer typedefs to make it obvious what they are. 2019-07-03 21:20:13 +02:00
CMOS.h AK: Rename the common integer typedefs to make it obvious what they are. 2019-07-03 21:20:13 +02:00
Console.cpp Kernel: Make File's can_read/can_write take a const FileDescription& 2019-11-04 14:03:14 +01:00
Console.h Kernel: Make File's can_read/can_write take a const FileDescription& 2019-11-04 14:03:14 +01:00
DoubleBuffer.cpp Revert "Kernel: Make DoubleBuffer use a KBuffer instead of kmalloc()ing" 2019-10-18 15:58:06 +02:00
DoubleBuffer.h Revert "Kernel: Make DoubleBuffer use a KBuffer instead of kmalloc()ing" 2019-10-18 15:58:06 +02:00
FB.h Kernel: Add framebuffer ioctls; wrap raw ioctls with a C API 2019-08-18 07:40:02 +02:00
grub.cfg Kernel: Embrace the SerenityOS name 2019-12-29 19:08:02 +01:00
grub_gpt.cfg Kernel: Embrace the SerenityOS name 2019-12-29 19:08:02 +01:00
init.cpp Kernel: Add a more expressive API for getting random bytes 2020-01-03 12:43:07 +01:00
IO.h Kernel: First cut of a sb16 driver 2019-07-13 08:00:24 +02:00
IRQHandler.cpp Kernel: Move PIC.cpp into Arch/i386/ 2019-07-09 15:04:43 +02:00
IRQHandler.h AK: Rename the common integer typedefs to make it obvious what they are. 2019-07-03 21:20:13 +02:00
KBuffer.h Kernel: Make kernel memory regions be non-executable by default 2019-12-25 22:41:34 +01:00
KBufferBuilder.cpp Kernel: Make kernel memory regions be non-executable by default 2019-12-25 22:41:34 +01:00
KBufferBuilder.h AK: Rename <AK/AKString.h> to <AK/String.h> 2019-09-06 15:36:54 +02:00
KernelInfoPage.h Kernel+LibC: Publish a "kernel info page" and use it for gettimeofday() 2019-12-15 21:29:26 +01:00
KeyCode.h Kernel: Implement AltGr key support 2019-12-31 19:31:42 +01:00
KParams.cpp AK: Make HashMap::get(Key) return an Optional<Value>. 2019-07-24 10:25:43 +02:00
KParams.h AK: Rename <AK/AKString.h> to <AK/String.h> 2019-09-06 15:36:54 +02:00
kprintf.cpp Kernel: Demangle userspace ELF symbols in backtraces 2019-11-27 14:06:24 +01:00
KResult.h Kernel: Add move assign operator to KResultOr 2019-12-29 23:01:27 +01:00
kstdio.h Build: Get rid of the USERLAND define 2019-12-20 22:59:11 +01:00
KSyms.cpp Kernel: Move kernel symbols to /res/kernel.map and make it root-only 2020-01-02 20:51:31 +01:00
KSyms.h Kernel: Allow modules to link against anything in kernel.map :^) 2019-11-28 21:30:20 +01:00
linker.ld Revert "Kernel: Move Kernel mapping to 0xc0000000" 2019-11-23 17:27:09 +01:00
Lock.cpp Kernel: Use a dedicated thread state for wait-queued threads 2019-12-01 16:02:58 +01:00
Lock.h Kernel: Add Lock::is_locked() 2019-12-26 11:43:23 +01:00
makeall.sh Build: add support for building on OpenBSD 2020-01-02 21:03:53 +01:00
Makefile Kernel: Add a more expressive API for getting random bytes 2020-01-03 12:43:07 +01:00
mkmap.sh Kernel: Allow modules to link against anything in kernel.map :^) 2019-11-28 21:30:20 +01:00
Module.h Kernel: Implement basic module unloading :^) 2019-11-28 21:07:22 +01:00
MousePacket.h AK: Rename the common integer typedefs to make it obvious what they are. 2019-07-03 21:20:13 +02:00
Multiboot.h AK: Rename the common integer typedefs to make it obvious what they are. 2019-07-03 21:20:13 +02:00
Process.cpp Kernel: Fix bad TOCTOU pattern in syscalls that take a parameter struct 2020-01-05 10:37:57 +01:00
Process.h Kernel: Remove some unused Process members 2020-01-04 19:53:29 +01:00
ProcessTracer.cpp AK: Rename the common integer typedefs to make it obvious what they are. 2019-07-03 21:20:13 +02:00
ProcessTracer.h Kernel: Make File's can_read/can_write take a const FileDescription& 2019-11-04 14:03:14 +01:00
Profiling.cpp Kernel: Separate out the symbol offsets in profile output 2019-12-12 21:59:47 +01:00
Profiling.h Kernel: Separate out the symbol offsets in profile output 2019-12-12 21:59:47 +01:00
Random.cpp Kernel: Add a more expressive API for getting random bytes 2020-01-03 12:43:07 +01:00
Random.h Kernel: Add a more expressive API for getting random bytes 2020-01-03 12:43:07 +01:00
RTC.cpp Kernel: Fix BIOS date/time on hardware 2019-09-28 13:59:49 +02:00
RTC.h Add clang-format file 2019-05-28 17:31:20 +02:00
run Kernel: Fixing PCI MMIO access mechanism 2020-01-02 21:45:04 +01:00
Scheduler.cpp Kernel: Prevent executing I/O instructions in userspace 2020-01-01 17:31:41 +01:00
Scheduler.h Kernel: Switch to eagerly restoring x86 FPU state on context switch 2020-01-01 16:54:21 +01:00
SharedBuffer.cpp Kernel: Rename vmo => vmobject everywhere 2019-12-19 19:15:27 +01:00
SharedBuffer.h Kernel+LibC: Make all SharedBuffers purgeable (default: non-volatile) 2019-12-09 20:06:47 +01:00
StdLib.cpp Kernel+LibC: Build with basic -fstack-protector support 2019-12-20 21:03:32 +01:00
StdLib.h Kernel: Introduce the ACPI subsystem 2020-01-02 00:50:09 +01:00
sync.sh Build: Make sure PATH is passed properly (#765) 2019-11-12 10:26:50 +01:00
Syscall.cpp Kernel: Use get_fast_random() for the random syscall stack offset 2020-01-03 12:48:28 +01:00
Syscall.h Kernel: Remove unused "putch" syscall 2020-01-04 16:00:25 +01:00
TestModule.cpp Kernel: Have modules export their name in a "module_name" string 2019-11-29 21:31:17 +01:00
Thread.cpp Kernel: Use Thread::from_tid() in more places 2020-01-04 18:56:04 +01:00
Thread.h Kernel: Switch to eagerly restoring x86 FPU state on context switch 2020-01-01 16:54:21 +01:00
TimerQueue.cpp Kernel: Add kernel-level timer queue (heavily based on @juliusf's work) 2019-12-27 02:15:45 +01:00
TimerQueue.h Kernel: Add kernel-level timer queue (heavily based on @juliusf's work) 2019-12-27 02:15:45 +01:00
UnixTypes.h Kernel: Add a mode flag to sys$purge and allow purging clean inodes 2019-12-29 13:16:53 +01:00
WaitQueue.cpp Kernel: Use IntrusiveList to make WaitQueue allocation-free :^) 2019-12-22 12:38:01 +01:00
WaitQueue.h Kernel: Use IntrusiveList to make WaitQueue allocation-free :^) 2019-12-22 12:38:01 +01:00