diff options
author | Andreas Kling <kling@serenityos.org> | 2021-02-14 09:03:54 +0100 |
---|---|---|
committer | Andreas Kling <kling@serenityos.org> | 2021-02-14 09:36:58 +0100 |
commit | 198d64180886e6fad2997513c4c8f68b1338f4e4 (patch) | |
tree | 28055419fea88ee9220f3002bdd44800ee751708 | |
parent | b712345c922cfd32e7ec971f817af97ca7ee7ab4 (diff) | |
download | serenity-198d64180886e6fad2997513c4c8f68b1338f4e4.zip |
Kernel: Panic on attempt to map mmap'ed page at a kernel address
If we somehow get tricked into mapping user-controlled mmap memory
at a kernel address, let's just panic the kernel.
-rw-r--r-- | Kernel/VM/Region.cpp | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/Kernel/VM/Region.cpp b/Kernel/VM/Region.cpp index dcf416149a..94bcb677c2 100644 --- a/Kernel/VM/Region.cpp +++ b/Kernel/VM/Region.cpp @@ -28,6 +28,7 @@ #include <AK/StringView.h> #include <Kernel/Debug.h> #include <Kernel/FileSystem/Inode.h> +#include <Kernel/Panic.h> #include <Kernel/Process.h> #include <Kernel/Thread.h> #include <Kernel/VM/AnonymousVMObject.h> @@ -258,6 +259,12 @@ bool Region::map_individual_page_impl(size_t page_index) { ASSERT(m_page_directory->get_lock().own_lock()); auto page_vaddr = vaddr_from_page_index(page_index); + + bool user_allowed = page_vaddr.get() >= 0x00800000 && is_user_address(page_vaddr); + if (is_mmap() && !user_allowed) { + PANIC("About to map mmap'ed page at a kernel address"); + } + auto* pte = MM.ensure_pte(*m_page_directory, page_vaddr); if (!pte) return false; @@ -274,7 +281,7 @@ bool Region::map_individual_page_impl(size_t page_index) pte->set_writable(is_writable()); if (Processor::current().has_feature(CPUFeature::NX)) pte->set_execute_disabled(!is_executable()); - pte->set_user_allowed(page_vaddr.get() >= 0x00800000 && is_user_address(page_vaddr)); + pte->set_user_allowed(user_allowed); } return true; } |