From cbcf891040e9921ff628fdda668c9738f358a178 Mon Sep 17 00:00:00 2001 From: Andreas Kling Date: Wed, 10 Mar 2021 19:59:46 +0100 Subject: Kernel: Move select Process members into protected memory Process member variable like m_euid are very valuable targets for kernel exploits and until now they have been writable at all times. This patch moves m_euid along with a whole bunch of other members into a new Process::ProtectedData struct. This struct is remapped as read-only memory whenever we don't need to write to it. This means that a kernel write primitive is no longer enough to overwrite a process's effective UID, you must first unprotect the protected data where the UID is stored. :^) --- Kernel/Syscalls/kill.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'Kernel/Syscalls/kill.cpp') diff --git a/Kernel/Syscalls/kill.cpp b/Kernel/Syscalls/kill.cpp index 1a75d77c06..c27d056c80 100644 --- a/Kernel/Syscalls/kill.cpp +++ b/Kernel/Syscalls/kill.cpp @@ -32,7 +32,7 @@ KResult Process::do_kill(Process& process, int signal) { // FIXME: Allow sending SIGCONT to everyone in the process group. // FIXME: Should setuid processes have some special treatment here? - if (!is_superuser() && m_euid != process.m_uid && m_uid != process.m_uid) + if (!is_superuser() && euid() != process.uid() && uid() != process.uid()) return EPERM; if (process.is_kernel_process() && signal == SIGKILL) { klog() << "attempted to send SIGKILL to kernel process " << process.name().characters() << "(" << process.pid().value() << ")"; @@ -89,7 +89,7 @@ KResult Process::do_killall(int signal) ScopedSpinLock lock(g_processes_lock); for (auto& process : *g_processes) { KResult res = KSuccess; - if (process.pid() == m_pid) + if (process.pid() == pid()) res = do_killself(signal); else res = do_kill(process, signal); @@ -119,7 +119,7 @@ KResult Process::do_killself(int signal) KResultOr Process::sys$kill(pid_t pid_or_pgid, int signal) { - if (pid_or_pgid == m_pid.value()) + if (pid_or_pgid == pid().value()) REQUIRE_PROMISE(stdio); else REQUIRE_PROMISE(proc); @@ -133,7 +133,7 @@ KResultOr Process::sys$kill(pid_t pid_or_pgid, int signal) } if (pid_or_pgid == -1) return do_killall(signal); - if (pid_or_pgid == m_pid.value()) { + if (pid_or_pgid == pid().value()) { return do_killself(signal); } VERIFY(pid_or_pgid >= 0); -- cgit v1.2.3