mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2025-04-21 20:15:17 +00:00
Kernel: Fix restrictions in is_allowed_to_mmap_to_userspace function
This small change simplifies the function a bit but also fixes a problem with it. Let's take an example to see this: Let's say we have a reserved range between 0xe0000 to 0xfffff (EBDA), then we want to map from the memory device (/dev/mem) the entire EBDA to a program. If a program tries to map more than 131072 bytes, the current logic will work - the start address is 0xe0000, and ofcourse it's below the limit, hence it passes the first two restrictions. Then, the third if statement will fail if we try to mmap more than the said allowed bytes. However, let's take another scenario, where we try to mmap from 0xf0000 - but we try to mmap less than 131072 - but more than 65536. In such case, we again pass the first two if statements, but the third one is passed two, because it doesn't take into account the offseted address from the start of the reserved range (0xe0000). In such case, a user can easily mmap 65535 bytes above 0x100000. This might seem negligible. However, it's still a severe bug that can theoretically be exploited into a info leak or tampering with important kernel structures.
This commit is contained in:
Liav A
Andreas Kling
parent
89afd4d063
commit
026687816d
Notes:
sideshowbarker
2024-07-18 02:03:43 +09:00
Author: https://github.com/supercomputer7 Commit: https://github.com/SerenityOS/serenity/commit/026687816d6 Pull-request: https://github.com/SerenityOS/serenity/pull/10571 Reviewed-by: https://github.com/bgianfo ✅
2 changed files with 9 additions and 4 deletions
|
|
@ -180,13 +180,16 @@ UNMAP_AFTER_INIT void MemoryManager::register_reserved_ranges()
|
|||
bool MemoryManager::is_allowed_to_mmap_to_userspace(PhysicalAddress start_address, VirtualRange const& range) const
|
||||
{
|
||||
VERIFY(!m_reserved_memory_ranges.is_empty());
|
||||
// Note: Guard against overflow in case someone tries to mmap on the edge of
|
||||
// the RAM
|
||||
if (start_address.offset_addition_would_overflow(range.size()))
|
||||
return false;
|
||||
auto end_address = start_address.offset(range.size());
|
||||
for (auto& current_range : m_reserved_memory_ranges) {
|
||||
if (!(current_range.start <= start_address))
|
||||
if (current_range.start > start_address)
|
||||
continue;
|
||||
if (!(current_range.start.offset(current_range.length) > start_address))
|
||||
if (current_range.start.offset(current_range.length) < end_address)
|
||||
continue;
|
||||
if (current_range.length < range.size())
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
|
||||
#pragma once
|
||||
|
||||
#include <AK/Checked.h>
|
||||
#include <AK/Format.h>
|
||||
#include <AK/Types.h>
|
||||
|
||||
|
|
@ -30,6 +31,7 @@ public:
|
|||
}
|
||||
|
||||
[[nodiscard]] PhysicalAddress offset(PhysicalPtr o) const { return PhysicalAddress(m_address + o); }
|
||||
[[nodiscard]] bool offset_addition_would_overflow(PhysicalPtr o) const { return Checked<PhysicalPtr>::addition_would_overflow(m_address, o); }
|
||||
[[nodiscard]] PhysicalPtr get() const { return m_address; }
|
||||
void set(PhysicalPtr address) { m_address = address; }
|
||||
void mask(PhysicalPtr m) { m_address &= m; }
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue