diff options
| author | Ben Wiederhake <BenWiederhake.GitHub@gmx.de> | 2021-02-15 21:06:18 +0100 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2021-02-15 22:09:01 +0100 |
| commit | fbb85f9b2f1aaa68407590a94ce046fa0c2271ad (patch) | |
| tree | 13afd3df5513bd70356e843df0563ecc5baf40fc /Kernel | |
| parent | fc2a4511ece972886c0e6caa16313d9a097339ae (diff) | |
| download | serenity-fbb85f9b2f1aaa68407590a94ce046fa0c2271ad.zip | |
Kernel: Refuse excessively long iovec list, also in readv
This bug is a good example why copy-paste code should eventually be eliminated
from the code base: Apparently the code was copied from read.cpp before
c6027ed7cce901dc0d2b6f68002a911178ae587f, so the same bug got introduced here.
To recap: A malicious program can ask the Kernel to prepare sys-ing to
a huge amount of iovecs. The Kernel must first copy all the vector locations
into 'vecs', and before that allocates an arbitrary amount of memory:
vecs.resize(iov_count);
This can cause Kernel memory exhaustion, triggered by any malicious userland
program.
Diffstat (limited to 'Kernel')
| -rw-r--r-- | Kernel/Syscalls/read.cpp | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/Kernel/Syscalls/read.cpp b/Kernel/Syscalls/read.cpp index b9c1256270..801e84d250 100644 --- a/Kernel/Syscalls/read.cpp +++ b/Kernel/Syscalls/read.cpp @@ -36,12 +36,9 @@ ssize_t Process::sys$readv(int fd, Userspace<const struct iovec*> iov, int iov_c if (iov_count < 0) return -EINVAL; - { - Checked checked_iov_count = sizeof(iovec); - checked_iov_count *= iov_count; - if (checked_iov_count.has_overflow()) - return -EFAULT; - } + // Arbitrary pain threshold. + if (iov_count > (int)MiB) + return -EFAULT; u64 total_length = 0; Vector<iovec, 32> vecs; |