Kernel: Move select Process members into protected memory

Process member variable like m_euid are very valuable targets for kernel exploits and until now they have been writable at all times. This patch moves m_euid along with a whole bunch of other members into a new Process::ProtectedData struct. This struct is remapped as read-only memory whenever we don't need to write to it. This means that a kernel write primitive is no longer enough to overwrite a process's effective UID, you must first unprotect the protected data where the UID is stored. :^)
author: Andreas Kling <kling@serenityos.org> 2021-03-10 19:59:46 +0100
committer: Andreas Kling <kling@serenityos.org> 2021-03-10 22:30:02 +0100
commit: cbcf891040e9921ff628fdda668c9738f358a178 (patch)
tree: 6f50101dc6c2993361fa4436923927faa98c6e14 /Kernel/Syscalls/kill.cpp
parent: 839d2d70a4bd73d9162a03430c20c1ee2e542331 (diff)
download: serenity-cbcf891040e9921ff628fdda668c9738f358a178.zip
1 files changed, 4 insertions, 4 deletions
diff --git a/Kernel/Syscalls/kill.cpp b/Kernel/Syscalls/kill.cpp
index 1a75d77c06..c27d056c80 100644
--- a/Kernel/Syscalls/kill.cpp
+++ b/Kernel/Syscalls/kill.cpp
@@ -32,7 +32,7 @@ KResult Process::do_kill(Process& process, int signal)
 {
     // FIXME: Allow sending SIGCONT to everyone in the process group.
     // FIXME: Should setuid processes have some special treatment here?
-    if (!is_superuser() && m_euid != process.m_uid && m_uid != process.m_uid)
+    if (!is_superuser() && euid() != process.uid() && uid() != process.uid())
         return EPERM;
     if (process.is_kernel_process() && signal == SIGKILL) {
         klog() << "attempted to send SIGKILL to kernel process " << process.name().characters() << "(" << process.pid().value() << ")";
@@ -89,7 +89,7 @@ KResult Process::do_killall(int signal)
     ScopedSpinLock lock(g_processes_lock);
     for (auto& process : *g_processes) {
         KResult res = KSuccess;
-        if (process.pid() == m_pid)
+        if (process.pid() == pid())
             res = do_killself(signal);
         else
             res = do_kill(process, signal);
@@ -119,7 +119,7 @@ KResult Process::do_killself(int signal)
 
 KResultOr<int> Process::sys$kill(pid_t pid_or_pgid, int signal)
 {
-    if (pid_or_pgid == m_pid.value())
+    if (pid_or_pgid == pid().value())
         REQUIRE_PROMISE(stdio);
     else
         REQUIRE_PROMISE(proc);
@@ -133,7 +133,7 @@ KResultOr<int> Process::sys$kill(pid_t pid_or_pgid, int signal)
     }
     if (pid_or_pgid == -1)
         return do_killall(signal);
-    if (pid_or_pgid == m_pid.value()) {
+    if (pid_or_pgid == pid().value()) {
         return do_killself(signal);
     }
     VERIFY(pid_or_pgid >= 0);
author	Andreas Kling <kling@serenityos.org>	2021-03-10 19:59:46 +0100
committer	Andreas Kling <kling@serenityos.org>	2021-03-10 22:30:02 +0100
commit	cbcf891040e9921ff628fdda668c9738f358a178 (patch)
tree	6f50101dc6c2993361fa4436923927faa98c6e14 /Kernel/Syscalls/kill.cpp
parent	839d2d70a4bd73d9162a03430c20c1ee2e542331 (diff)
download	serenity-cbcf891040e9921ff628fdda668c9738f358a178.zip