RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 14:38:11 +00:00
Code Issues Activity Actions
serenity/Kernel
History
Brian Gianforcaro ed6d842f85 Kernel: Fix OOB read in sys$dbgputstr(..) during fuzzing 
The implementation uses try_copy_kstring_from_user to allocate a kernel
string using, but does not use the length of the resulting string.
The size parameter to the syscall is untrusted, as try copy kstring will
attempt to perform a `safe_strlen(..)` on the user mode string and use
that value for the allocated length of the KString instead. The bug is
that we are printing the kstring, but with the usermode size argument.

During fuzzing this resulted in us walking off the end of the allocated
KString buffer printing garbage (or any kernel data!), until we stumbled
in to the KSym region and hit a fatal page fault.

This is technically a kernel information disclosure, but (un)fortunately
the disclosure only happens to the Bochs debug port, and or the serial
port if serial debugging is enabled. As far as I can tell it's not
actually possible for an untrusted attacker to use this to do something
nefarious, as they would need access to the host. If they have host
access then they can already do much worse things :^).
2021-08-13 11:08:11 +02:00
..
ACPI Kernel: Move Mutex into Locking/ 2021-08-07 11:48:00 +02:00
API Kernel+LibC: Add sys$perf_register_string() 2021-08-12 00:03:39 +02:00
Arch Kernel: Disambiguate instruction size for mov in read_gs_ptr 2021-08-11 12:34:47 +02:00
Bus Kernel: Move VirtIO code into the Bus source folder 2021-08-13 08:06:47 +02:00
Devices Everywhere: Replace AK::Singleton => Singleton 2021-08-08 00:03:45 +02:00
FileSystem Kernel: Steer away from heap allocations for ProcFS process data 2021-08-12 20:57:32 +02:00
Graphics Kernel: Move VirtIO code into the Bus source folder 2021-08-13 08:06:47 +02:00
Heap Kernel/SMP: Make entering/leaving critical sections multi-processor safe 2021-08-10 02:49:37 +02:00
Interrupts Everywhere: Replace AK::Singleton => Singleton 2021-08-08 00:03:45 +02:00
Locking Kernel/SMP: Fix RecursiveSpinLock remembering the wrong CPU when locking 2021-08-11 12:34:55 +02:00
Memory Kernel: Don't hog MM lock in Memory::Region::clone() 2021-08-09 11:46:31 +02:00
Modules Everything: Move to SPDX license identifiers in all files. 2021-04-22 11:22:27 +02:00
Net Kernel: Remove char* versions of path argument / kstring copy methods 2021-08-13 11:08:11 +02:00
Prekernel Meta: Add Clang support to the CMake build scripts 2021-08-08 10:55:36 +02:00
Storage Kernel: Remove unused mutex PATADiskDevice::m_lock 2021-08-08 00:08:24 +02:00
Syscalls Kernel: Fix OOB read in sys$dbgputstr(..) during fuzzing 2021-08-13 11:08:11 +02:00
Tasks Kernel: Make VirtualFileSystem::sync() static 2021-07-11 00:26:17 +02:00
Time Kernel: Add CLOCK_MONOTONIC_COARSE to the kernel time page 2021-08-10 21:51:05 +02:00
TTY Kernel: Fix logic typo in ConsoleManagement::is_initialized() 2021-08-09 11:46:30 +02:00
AddressSanitizer.cpp Everywhere: Use bgianf@serenityos.org for my copyright attribution 2021-04-22 21:15:54 +02:00
AddressSanitizer.h Everywhere: Use bgianf@serenityos.org for my copyright attribution 2021-04-22 21:15:54 +02:00
Assertions.h AK+Kernel: Print TODO when a TODO() is executed 2021-08-04 11:01:16 +02:00
AtomicEdgeAction.h Kernel: Add AtomicEdgeAction class 2021-07-07 21:57:01 +02:00
BootInfo.h Kernel: Support loading the kernel at almost arbitrary virtual addresses 2021-07-27 13:15:16 +02:00
CMakeLists.txt Kernel: Move VirtIO code into the Bus source folder 2021-08-13 08:06:47 +02:00
CMOS.cpp Everything: Move to SPDX license identifiers in all files. 2021-04-22 11:22:27 +02:00
CMOS.h Everything: Move to SPDX license identifiers in all files. 2021-04-22 11:22:27 +02:00
CommandLine.cpp Kernel/USB: Create controller base class and introduce USBManagement 2021-08-09 21:05:25 +02:00
CommandLine.h Kernel/USB: Create controller base class and introduce USBManagement 2021-08-09 21:05:25 +02:00
ConsoleDevice.cpp Everywhere: Replace AK::Singleton => Singleton 2021-08-08 00:03:45 +02:00
ConsoleDevice.h Kernel: Make various T::class_name() and similar return StringView 2021-07-11 01:46:59 +02:00
CoreDump.cpp Kernel/SMP: Skip thread registers in core dump if there is no trap frame 2021-08-10 02:49:37 +02:00
CoreDump.h Kernel: Use Forward.h headers more 2021-07-11 14:14:51 +02:00
Debug.h.in Kernel: Implement a ISO 9660 filesystem reader :^) 2021-08-07 15:21:58 +02:00
DoubleBuffer.cpp Kernel: Add convenience values to the Memory::Region::Access enum 2021-08-06 22:25:00 +02:00
DoubleBuffer.h Kernel: Move Mutex into Locking/ 2021-08-07 11:48:00 +02:00
embedmap.sh Kernel: Make new kernel build process work on macOS 2021-07-15 11:04:30 +02:00
Forward.h Kernel: Simplify the per-CPU SchedulerData struct 2021-08-08 14:24:54 +02:00
FutexQueue.cpp Kernel: Fix futex race that could lead to thread waiting forever 2021-07-07 10:05:55 +02:00
FutexQueue.h Kernel: Move SpinLock.h into Locking/ 2021-08-07 11:48:00 +02:00
GlobalProcessExposed.cpp Kernel: Steer away from heap allocations for ProcFS process data 2021-08-12 20:57:32 +02:00
init.cpp Kernel: Move VirtIO code into the Bus source folder 2021-08-13 08:06:47 +02:00
IO.h Kernel: Specify I/O size for BMIDEChannel 2021-06-28 15:55:00 +02:00
KBuffer.h Kernel: Add convenience values to the Memory::Region::Access enum 2021-08-06 22:25:00 +02:00
KBufferBuilder.cpp Kernel: Add convenience values to the Memory::Region::Access enum 2021-08-06 22:25:00 +02:00
KBufferBuilder.h Kernel: Remove KBufferBuilder's can_expand restriction 2021-07-20 18:05:05 +02:00
KLexicalPath.cpp Kernel: Make KLexicalPath::basename() more compliant 2021-07-11 14:10:58 +02:00
KLexicalPath.h Kernel: Add KLexicalPath::try_join and use it 2021-07-07 15:32:17 +02:00
kprintf.cpp Kernel: Introduce a StringView overload of dbgputstr(..) 2021-08-13 11:08:11 +02:00
KResult.h AK+Kernel: Fix perfect forwarding constructors shadowing others 2021-07-08 10:11:00 +02:00
kstdio.h Kernel: Introduce a StringView overload of dbgputstr(..) 2021-08-13 11:08:11 +02:00
KString.cpp Kernel: Allow passing null pointer to delete 2021-07-14 13:12:25 +02:00
KString.h Kernel: Annotate KString methods as [[nodiscard]] 2021-08-13 11:08:11 +02:00
KSyms.cpp Kernel: Print panic backtrace to both the screen and serial 2021-08-04 20:14:54 +02:00
KSyms.h Kernel: Print panic backtrace to both the screen and serial 2021-08-04 20:14:54 +02:00
linker.ld Kernel: Support loading the kernel at almost arbitrary virtual addresses 2021-07-27 13:15:16 +02:00
MiniStdLib.cpp Kernel: Introduce basic pre-kernel environment 2021-07-18 17:31:13 +02:00
mkmap.sh Kernel: Use our toolchain's c++filt tool for the kernel map 2021-07-29 10:38:31 +02:00
Module.h Everything: Move to SPDX license identifiers in all files. 2021-04-22 11:22:27 +02:00
Multiboot.h Prekernel: Export some multiboot parameters in our own BootInfo struct 2021-07-27 13:15:16 +02:00
Panic.cpp Kernel: Print panic backtrace to both the screen and serial 2021-08-04 20:14:54 +02:00
Panic.h Kernel/Graphics + SystemServer: Support text mode properly 2021-05-16 19:58:33 +02:00
PerformanceEventBuffer.cpp Kernel: Make sys$perf_register_string() generate the string ID's 2021-08-12 00:03:39 +02:00
PerformanceEventBuffer.h Kernel: Make sys$perf_register_string() generate the string ID's 2021-08-12 00:03:39 +02:00
PerformanceManager.h Kernel: Add syscall performance event type 2021-08-10 21:55:48 +02:00
PhysicalAddress.h Kernel: Move PhysicalPage classes out of the heap into an array 2021-07-08 11:43:34 +02:00
Process.cpp Kernel: Remove char* versions of path argument / kstring copy methods 2021-08-13 11:08:11 +02:00
Process.h Kernel: Remove char* versions of path argument / kstring copy methods 2021-08-13 11:08:11 +02:00
ProcessExposed.cpp Kernel: Steer away from heap allocations for ProcFS process data 2021-08-12 20:57:32 +02:00
ProcessExposed.h Kernel: Steer away from heap allocations for ProcFS process data 2021-08-12 20:57:32 +02:00
ProcessGroup.cpp Everywhere: Replace AK::Singleton => Singleton 2021-08-08 00:03:45 +02:00
ProcessGroup.h Kernel: Port process groups to SpinLockProtectedValue 2021-08-07 13:30:59 +02:00
ProcessSpecificExposed.cpp Kernel: Steer away from heap allocations for ProcFS process data 2021-08-12 20:57:32 +02:00
Random.cpp Everywhere: Replace AK::Singleton => Singleton 2021-08-08 00:03:45 +02:00
Random.h Kernel: Move Lockable into its own header 2021-08-07 11:48:00 +02:00
RTC.cpp Kernel: Ensure we read valid values from the RTC CMOS registers 2021-08-04 19:53:04 +02:00
RTC.h Kernel: Ensure we read valid values from the RTC CMOS registers 2021-08-04 19:53:04 +02:00
SanCov.cpp Kernel: Remove unused header includes 2021-08-01 08:10:16 +02:00
Scheduler.cpp Kernel/SMP: Make entering/leaving critical sections multi-processor safe 2021-08-10 02:49:37 +02:00
Scheduler.h Kernel: Rename queue_runnable_thread() => enqueue_runnable_thread() 2021-08-08 14:24:55 +02:00
Sections.h Kernel: Support loading the kernel at almost arbitrary virtual addresses 2021-07-27 13:15:16 +02:00
StdLib.cpp Kernel: Remove char* versions of path argument / kstring copy methods 2021-08-13 11:08:11 +02:00
StdLib.h Kernel: Remove char* versions of path argument / kstring copy methods 2021-08-13 11:08:11 +02:00
Syscall.cpp Kernel: Add syscall performance event type 2021-08-10 21:55:48 +02:00
Thread.cpp Kernel: Steer away from heap allocations for ProcFS process data 2021-08-12 20:57:32 +02:00
Thread.h Kernel: Steer away from heap allocations for ProcFS process data 2021-08-12 20:57:32 +02:00
ThreadBlockers.cpp Kernel: Make AsyncDeviceRequest::name() return StringView 2021-08-06 00:37:47 +02:00
ThreadTracer.cpp Kernel: Remove unused header includes in root kernel tree 2021-07-11 21:37:38 +02:00
ThreadTracer.h Everywhere: Use nothrow new with adopt_{ref,own}_if_nonnull 2021-06-24 17:35:49 +04:30
TimerQueue.cpp Everywhere: Replace AK::Singleton => Singleton 2021-08-08 00:03:45 +02:00
TimerQueue.h Kernel: Do not cancel stale timers when servicing sys$alarm 2021-08-03 18:44:01 +02:00
UBSanitizer.cpp Kernel: Pull apart CPU.h 2021-06-24 00:38:23 +02:00
UnixTypes.h Kernel+LibC: Use 64 bit values for ino_t 2021-08-12 20:57:32 +02:00
UserOrKernelBuffer.cpp Kernel: Move Kernel/Memory/ code into Kernel::Memory namespace 2021-08-06 14:05:58 +02:00
UserOrKernelBuffer.h Kernel: Move Kernel/Memory/ code into Kernel::Memory namespace 2021-08-06 14:05:58 +02:00
VirtualAddress.h Kernel: Make VirtualAddress::page_base() work with 64-bit addresses 2021-07-18 17:31:13 +02:00
WaitQueue.cpp Everywhere: Use "the SerenityOS developers." in copyright headers 2021-04-29 00:59:26 +02:00
WaitQueue.h Kernel: Move SpinLock.h into Locking/ 2021-08-07 11:48:00 +02:00
WorkQueue.cpp Kernel: Move SpinLock.h into Locking/ 2021-08-07 11:48:00 +02:00
WorkQueue.h Kernel: Use plain Function objects for the WorkQueue 2021-05-19 21:36:57 +02:00