Kernel: Fix OOB read in sys$dbgputstr(..) during fuzzing

The implementation uses try_copy_kstring_from_user to allocate a kernel string using, but does not use the length of the resulting string. The size parameter to the syscall is untrusted, as try copy kstring will attempt to perform a `safe_strlen(..)` on the user mode string and use that value for the allocated length of the KString instead. The bug is that we are printing the kstring, but with the usermode size argument. During fuzzing this resulted in us walking off the end of the allocated KString buffer printing garbage (or any kernel data!), until we stumbled in to the KSym region and hit a fatal page fault. This is technically a kernel information disclosure, but (un)fortunately the disclosure only happens to the Bochs debug port, and or the serial port if serial debugging is enabled. As far as I can tell it's not actually possible for an untrusted attacker to use this to do something nefarious, as they would need access to the host. If they have host access then they can already do much worse things :^).
Author: https://github.com/bgianfo Commit: ed6d842f85 Pull-request: https://github.com/SerenityOS/serenity/pull/9372
2025-05-12 14:12:52 +00:00 · 2021-08-12 22:11:06 -07:00 · 2021-08-12 22:11:06 -07:00 · ed6d842f85 · 2024-07-18 07:02:27 +09:00
commit ed6d842f85
parent 40a942d28b
1 changed files with 3 additions and 2 deletions
--- a/Kernel/Syscalls/debug.cpp
+++ b/Kernel/Syscalls/debug.cpp
@ -42,8 +42,9 @@ KResultOr<FlatPtr> Process::sys$dbgputstr(Userspace<const char*> characters, siz
    auto result = try_copy_kstring_from_user(characters, size);
    if (result.is_error())
        return result.error();
-    dbgputstr(result.value()->characters(), size);
-    return size;
+    auto string = result.release_value();
+    dbgputstr(string->view());
+    return string->length();
 }

 }