system/serenity
system/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity synced 2024-10-08 00:50:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Kernel: Make Region weakable and use WeakPtr<Region> instead of Region*

Browse source 
This turns use-after-free bugs into null pointer dereferences instead.
This commit is contained in:
Andreas Kling 2020-02-24 13:24:30 +01:00
parent 79576f9280
commit 30a8991dbf
5 changed files with 14 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Kernel/Process.cpp
View file

@ -273,7 +273,7 @@ Region* Process::region_from_range(const Range& range)
for (auto& region : m_regions) {
if (region.vaddr() == range.base() && region.size() == size) {
m_region_lookup_cache.range = range;
m_region_lookup_cache.region = &region;
m_region_lookup_cache.region = region.make_weak_ptr();
return &region;
}
}

3
Kernel/Process.h
View file

@ -31,6 +31,7 @@
#include <AK/InlineLinkedList.h>
#include <AK/NonnullOwnPtrVector.h>
#include <AK/String.h>
#include <AK/WeakPtr.h>
#include <Kernel/FileSystem/InodeMetadata.h>
#include <Kernel/Forward.h>
#include <Kernel/Lock.h>
@ -479,7 +480,7 @@ private:
NonnullOwnPtrVector<Region> m_regions;
struct RegionLookupCache {
Range range;
Region* region { nullptr };
WeakPtr<Region> region;
};
RegionLookupCache m_region_lookup_cache;

9
Kernel/SharedBuffer.cpp
View file

@ -86,12 +86,13 @@ void* SharedBuffer::ref_for_process_and_get_address(Process& process)
for (auto& ref : m_refs) {
if (ref.pid == process.pid()) {
ref.count++;
m_total_refs++;
if (ref.region == nullptr) {
ref.region = process.allocate_region_with_vmobject(VirtualAddress(), size(), m_vmobject, 0, "SharedBuffer", PROT_READ | (m_writable ? PROT_WRITE : 0));
if (!ref.region) {
auto* region = process.allocate_region_with_vmobject(VirtualAddress(), size(), m_vmobject, 0, "SharedBuffer", PROT_READ | (m_writable ? PROT_WRITE : 0));
ref.region = region->make_weak_ptr();
ref.region->set_shared(true);
}
ref.count++;
m_total_refs++;
sanity_check("ref_for_process_and_get_address");
return ref.region->vaddr().as_ptr();
}

3
Kernel/SharedBuffer.h
View file

@ -27,6 +27,7 @@
#pragma once
#include <AK/OwnPtr.h>
#include <AK/WeakPtr.h>
#include <Kernel/VM/MemoryManager.h>
#include <Kernel/VM/PurgeableVMObject.h>
@ -42,7 +43,7 @@ private:
pid_t pid;
unsigned count { 0 };
Region* region { nullptr };
WeakPtr<Region> region;
};
public:

5
Kernel/VM/Region.h
View file

@ -28,6 +28,7 @@
#include <AK/InlineLinkedList.h>
#include <AK/String.h>
#include <AK/Weakable.h>
#include <Kernel/Heap/SlabAllocator.h>
#include <Kernel/VM/RangeAllocator.h>
@ -41,7 +42,9 @@ enum class PageFaultResponse {
Continue,
};
class Region final : public InlineLinkedListNode<Region> {
class Region final
: public InlineLinkedListNode<Region>
, public Weakable<Region> {
friend class MemoryManager;
MAKE_SLAB_ALLOCATED(Region)