diff options
| author | Brian Gianforcaro <b.gianfo@gmail.com> | 2021-02-24 06:02:51 -0800 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2021-02-24 15:14:13 +0100 |
| commit | 303620ea85c47928fce0f121b213e8ea0190f335 (patch) | |
| tree | d15bc7587e3ede9c9333a3285087071990a84348 /Kernel | |
| parent | 7db8ccc0e47e09e6c5d015a042c374b43cdd43ed (diff) | |
| download | serenity-303620ea85c47928fce0f121b213e8ea0190f335.zip | |
Kernel: Fix pointer overflow in create_thread
KUBSAN found this overflow from syscall fuzzing.
Fixes #5498
Diffstat (limited to 'Kernel')
| -rw-r--r-- | Kernel/Syscalls/thread.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/Kernel/Syscalls/thread.cpp b/Kernel/Syscalls/thread.cpp index 6ad8e266c7..34d285f417 100644 --- a/Kernel/Syscalls/thread.cpp +++ b/Kernel/Syscalls/thread.cpp @@ -24,6 +24,7 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include <AK/Checked.h> #include <AK/String.h> #include <AK/StringBuilder.h> #include <AK/StringView.h> @@ -45,6 +46,9 @@ int Process::sys$create_thread(void* (*entry)(void*), Userspace<const Syscall::S int schedule_priority = params.m_schedule_priority; unsigned stack_size = params.m_stack_size; + if (Checked<FlatPtr>::addition_would_overflow((FlatPtr)params.m_stack_location, stack_size)) + return -EOVERFLOW; + auto user_stack_address = (u8*)params.m_stack_location + stack_size; if (!MM.validate_user_stack(*this, VirtualAddress(user_stack_address - 4))) |