Kernel: Fix possible buffer overrun when scanning a MappedROM

If the length of the prefix was less than the chunk_size argument we were potentionally reading past the mapped memory region.
author: Tom <tomut@yahoo.com> 2022-01-02 16:25:08 -0700
committer: Linus Groh <mail@linusgroh.de> 2022-01-04 17:46:36 +0000
commit: 190572b7142e6cbfd6ce3ab5a6ad9e528a5a8f89 (patch)
tree: 6be9210924037d5c6cb61d348eccb3956a62f2e7 /Kernel/Memory
parent: e70aa690d2a073c3beb9043c17bb646241f57a60 (diff)
download: serenity-190572b7142e6cbfd6ce3ab5a6ad9e528a5a8f89.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/Kernel/Memory/MappedROM.h b/Kernel/Memory/MappedROM.h
index 791cf3d43d..e80870c8f2 100644
--- a/Kernel/Memory/MappedROM.h
+++ b/Kernel/Memory/MappedROM.h
@@ -23,7 +23,10 @@ public:
 
     Optional<PhysicalAddress> find_chunk_starting_with(StringView prefix, size_t chunk_size) const
     {
-        for (auto* candidate = base(); candidate < end(); candidate += chunk_size) {
+        auto prefix_length = prefix.length();
+        if (size < prefix_length)
+            return {};
+        for (auto* candidate = base(); candidate <= end() - prefix_length; candidate += chunk_size) {
             if (!__builtin_memcmp(prefix.characters_without_null_termination(), candidate, prefix.length()))
                 return paddr_of(candidate);
         }
author	Tom <tomut@yahoo.com>	2022-01-02 16:25:08 -0700
committer	Linus Groh <mail@linusgroh.de>	2022-01-04 17:46:36 +0000
commit	190572b7142e6cbfd6ce3ab5a6ad9e528a5a8f89 (patch)
tree	6be9210924037d5c6cb61d348eccb3956a62f2e7 /Kernel/Memory
parent	e70aa690d2a073c3beb9043c17bb646241f57a60 (diff)
download	serenity-190572b7142e6cbfd6ce3ab5a6ad9e528a5a8f89.zip