mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-07-30 20:59:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Kernel: Fail with EFAULT for any address+size that would wrap around

Browse source 
Previously we were only checking that each of the virtual pages in the
specified range were valid.

This made it possible to pass in negative buffer sizes to some syscalls
as long as (address) and (address+size) were on the same page.
This commit is contained in:
Andreas Kling 2020-01-29 12:39:27 +01:00
commit a27c5d2fb7
Notes: sideshowbarker 2024-07-19 09:45:15 +09:00
2 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Kernel/VM/MemoryManager.cpp
View file

@ -569,6 +569,11 @@ template<MemoryManager::AccessSpace space, MemoryManager::AccessType access_type
bool MemoryManager::validate_range(const Process& process, VirtualAddress base_vaddr, size_t size) const
{
ASSERT(size);
if (base_vaddr > base_vaddr.offset(size)) {
dbg() << "Shenanigans! Asked to validate wrappy " << base_vaddr << " size=" << size;
return false;
}
VirtualAddress vaddr = base_vaddr.page_base();
VirtualAddress end_vaddr = base_vaddr.offset(size - 1).page_base();
if (end_vaddr < vaddr) {