Bananymous
/
banan-os
1
1
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Kernel: Fix userspace pointer checks 

Some syscalls were unconditionally validating optional paramenters which
were allowed to be null pointers
This commit is contained in:
Bananymous 2025-08-17 23:59:16 +03:00
parent 3e97a82af0
commit 8b7790ded2
1 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
kernel/kernel/Process.cpp
View File

@ -1158,7 +1158,9 @@ namespace Kernel
BAN::ErrorOr<long> Process::sys_hardlinkat(int fd1, const char* path1, int fd2, const char* path2, int flag) BAN::ErrorOr<long> Process::sys_hardlinkat(int fd1, const char* path1, int fd2, const char* path2, int flag)
{ {
LockGuard _(m_process_lock); LockGuard _(m_process_lock);
if (path1 != nullptr)
TRY(validate_string_access(path1)); TRY(validate_string_access(path1));
if (path2 != nullptr)
TRY(validate_string_access(path2)); TRY(validate_string_access(path2));
auto inode = TRY(find_file(fd1, path1, flag)).inode; auto inode = TRY(find_file(fd1, path1, flag)).inode;
@ -1180,6 +1182,7 @@ namespace Kernel
return BAN::Error::from_errno(EINVAL); return BAN::Error::from_errno(EINVAL);
LockGuard _(m_process_lock); LockGuard _(m_process_lock);
if (path != nullptr)
TRY(validate_string_access(path)); TRY(validate_string_access(path));
auto [parent, file_name] = TRY(find_parent_file(fd, path, O_WRONLY)); auto [parent, file_name] = TRY(find_parent_file(fd, path, O_WRONLY));
@ -1195,6 +1198,7 @@ namespace Kernel
BAN::ErrorOr<long> Process::sys_readlinkat(int fd, const char* path, char* buffer, size_t bufsize) BAN::ErrorOr<long> Process::sys_readlinkat(int fd, const char* path, char* buffer, size_t bufsize)
{ {
LockGuard _(m_process_lock); LockGuard _(m_process_lock);
if (path != nullptr)
TRY(validate_string_access(path)); TRY(validate_string_access(path));
TRY(validate_pointer_access(buffer, bufsize, true)); TRY(validate_pointer_access(buffer, bufsize, true));
@ -1262,6 +1266,7 @@ namespace Kernel
flag = O_NOFOLLOW; flag = O_NOFOLLOW;
LockGuard _(m_process_lock); LockGuard _(m_process_lock);
if (path != nullptr)
TRY(validate_string_access(path)); TRY(validate_string_access(path));
auto inode = TRY(find_file(fd, path, flag)).inode; auto inode = TRY(find_file(fd, path, flag)).inode;
@ -1285,6 +1290,7 @@ namespace Kernel
flag = O_NOFOLLOW; flag = O_NOFOLLOW;
LockGuard _(m_process_lock); LockGuard _(m_process_lock);
if (path != nullptr)
TRY(validate_string_access(path)); TRY(validate_string_access(path));
auto inode = TRY(find_file(fd, path, flag)).inode; auto inode = TRY(find_file(fd, path, flag)).inode;
@ -1971,6 +1977,8 @@ namespace Kernel
flag = O_NOFOLLOW; flag = O_NOFOLLOW;
LockGuard _(m_process_lock); LockGuard _(m_process_lock);
if (path != nullptr)
TRY(validate_string_access(path));
TRY(validate_pointer_access(buf, sizeof(struct stat), true)); TRY(validate_pointer_access(buf, sizeof(struct stat), true));
auto inode = TRY(find_file(fd, path, flag)).inode; auto inode = TRY(find_file(fd, path, flag)).inode;
@ -1994,6 +2002,8 @@ namespace Kernel
BAN::ErrorOr<long> Process::sys_fstatvfsat(int fd, const char* path, struct statvfs* buf) BAN::ErrorOr<long> Process::sys_fstatvfsat(int fd, const char* path, struct statvfs* buf)
{ {
LockGuard _(m_process_lock); LockGuard _(m_process_lock);
if (path != nullptr)
TRY(validate_string_access(path));
TRY(validate_pointer_access(buf, sizeof(struct statvfs), true)); TRY(validate_pointer_access(buf, sizeof(struct statvfs), true));
auto inode = TRY(find_file(fd, path, 0)).inode; auto inode = TRY(find_file(fd, path, 0)).inode;
@ -3297,6 +3307,9 @@ unauthorized_access:
{ {
// TODO: This seems very slow as we loop over the range twice // TODO: This seems very slow as we loop over the range twice
if (size == 0)
return {};
TRY(validate_pointer_access_check(ptr, size, needs_write)); TRY(validate_pointer_access_check(ptr, size, needs_write));
const vaddr_t vaddr = reinterpret_cast<vaddr_t>(ptr); const vaddr_t vaddr = reinterpret_cast<vaddr_t>(ptr);