Kernel: Fix kernel crash in get_dir_entries when buffer too small.

Before e06362de9487806df92cf2360a42d3eed905b6bf this was a sneaky buffer overflow. BufferStream did not do range checking and continued to write past the allocated buffer (the size of which was controlled by the user.) The issue surfaced after my changes because OutputMemoryStream does range checking. Not sure how exploitable that bug was, directory entries are somewhat controllable by the user but the buffer was on the heap, so exploiting that should be tough.
author: asynts <asynts@gmail.com> 2020-09-16 16:55:29 +0200
committer: Andreas Kling <kling@serenityos.org> 2020-09-16 17:10:04 +0200
commit: 0579a2db34cea807ed092e29c5a895cb9f0853d2 (patch)
tree: d5572a893e42e36b9a3096124544832aa4c7a61f
parent: f69281573e422990e2102fc5f365cc3cfa4ac068 (diff)
download: serenity-0579a2db34cea807ed092e29c5a895cb9f0853d2.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/Kernel/FileSystem/FileDescription.cpp b/Kernel/FileSystem/FileDescription.cpp
index a361e1d046..31216fa78f 100644
--- a/Kernel/FileSystem/FileDescription.cpp
+++ b/Kernel/FileSystem/FileDescription.cpp
@@ -191,7 +191,7 @@ ssize_t FileDescription::get_dir_entries(UserOrKernelBuffer& buffer, ssize_t siz
     if (result.is_error())
         return result;
 
-    if (static_cast<size_t>(size) < stream.size())
+    if (stream.handle_recoverable_error())
         return -EINVAL;
 
     if (!buffer.write(stream.bytes()))
author	asynts <asynts@gmail.com>	2020-09-16 16:55:29 +0200
committer	Andreas Kling <kling@serenityos.org>	2020-09-16 17:10:04 +0200
commit	0579a2db34cea807ed092e29c5a895cb9f0853d2 (patch)
tree	d5572a893e42e36b9a3096124544832aa4c7a61f
parent	f69281573e422990e2102fc5f365cc3cfa4ac068 (diff)
download	serenity-0579a2db34cea807ed092e29c5a895cb9f0853d2.zip