diff options
| author | Sergey Bugaev <bugaevc@serenityos.org> | 2020-05-31 21:56:17 +0300 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2020-05-31 21:38:50 +0200 |
| commit | a77405665f4005aae834dc9fe0fc715a843296b5 (patch) | |
| tree | eff8602cdbab3ad2e82682ffd99c874442dc3ac0 /Kernel | |
| parent | c3db694d9b6423047cdd711dee996edc2e52ee88 (diff) | |
| download | serenity-a77405665f4005aae834dc9fe0fc715a843296b5.zip | |
Kernel: Fix overflow in Process::validate_{read,write}_typed()
Userspace could pass us a large count to overflow the check. I'm not enough of a
haxx0r to write an actual exploit though.
Diffstat (limited to 'Kernel')
| -rw-r--r-- | Kernel/Process.h | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/Kernel/Process.h b/Kernel/Process.h index fa52440707..7513de3eb8 100644 --- a/Kernel/Process.h +++ b/Kernel/Process.h @@ -26,6 +26,7 @@ #pragma once +#include <AK/Checked.h> #include <AK/FixedArray.h> #include <AK/HashMap.h> #include <AK/InlineLinkedList.h> @@ -332,8 +333,17 @@ public: [[nodiscard]] bool validate_read(const void*, size_t) const; [[nodiscard]] bool validate_write(void*, size_t) const; + template<typename T> - [[nodiscard]] bool validate_read_typed(T* value, size_t count = 1) { return validate_read(value, sizeof(T) * count); } + [[nodiscard]] bool validate_read_typed(T* value, size_t count = 1) + { + Checked size = sizeof(T); + size *= count; + if (size.has_overflow()) + return false; + return validate_read(value, size.value()); + } + template<typename T> [[nodiscard]] bool validate_read_and_copy_typed(T* dest, const T* src) { @@ -343,8 +353,17 @@ public: } return validated; } + template<typename T> - [[nodiscard]] bool validate_write_typed(T* value, size_t count = 1) { return validate_write(value, sizeof(T) * count); } + [[nodiscard]] bool validate_write_typed(T* value, size_t count = 1) + { + Checked size = sizeof(T); + size *= count; + if (size.has_overflow()) + return false; + return validate_write(value, size.value()); + } + template<typename DataType, typename SizeType> [[nodiscard]] bool validate(const Syscall::MutableBufferArgument<DataType, SizeType>&); template<typename DataType, typename SizeType> |