From 60b088b89a74af0a346a318c435113b22df53755 Mon Sep 17 00:00:00 2001 From: Liav A Date: Sat, 24 Sep 2022 15:10:13 +0300 Subject: [PATCH] Kernel: Send SIGBUS to threads that use after valid Inode mmaped range According to Dr. POSIX, we should allow to call mmap on inodes even on ranges that currently don't map to any actual data. Trying to read or write to those ranges should result in SIGBUS being sent to the thread that did violating memory access. To implement this restriction, we simply check if the result of read_bytes on an Inode returns 0, which means we have nothing valid to map to the program, hence it should receive a SIGBUS in that case. --- Kernel/Arch/x86/common/Interrupts.cpp | 13 +++++++++++-- Kernel/Memory/PageFaultResponse.h | 1 + Kernel/Memory/Region.cpp | 5 +++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/Kernel/Arch/x86/common/Interrupts.cpp b/Kernel/Arch/x86/common/Interrupts.cpp index 1be7cd7632..03660e02ac 100644 --- a/Kernel/Arch/x86/common/Interrupts.cpp +++ b/Kernel/Arch/x86/common/Interrupts.cpp @@ -317,7 +317,7 @@ void page_fault_handler(TrapFrame* trap) PageFault fault { regs.exception_code, VirtualAddress { fault_address } }; auto response = MM.handle_page_fault(fault); - if (response == PageFaultResponse::ShouldCrash || response == PageFaultResponse::OutOfMemory) { + if (response == PageFaultResponse::ShouldCrash || response == PageFaultResponse::OutOfMemory || response == PageFaultResponse::BusError) { if (faulted_in_kernel && handle_safe_access_fault(regs, fault_address)) { // If this would be a ring0 (kernel) fault and the fault was triggered by // safe_memcpy, safe_strnlen, or safe_memset then we resume execution at @@ -325,6 +325,11 @@ void page_fault_handler(TrapFrame* trap) return; } + if (response == PageFaultResponse::BusError && current_thread->has_signal_handler(SIGBUS)) { + current_thread->send_urgent_signal_to_self(SIGBUS); + return; + } + if (response != PageFaultResponse::OutOfMemory && current_thread) { if (current_thread->has_signal_handler(SIGSEGV)) { current_thread->send_urgent_signal_to_self(SIGSEGV); @@ -341,7 +346,9 @@ void page_fault_handler(TrapFrame* trap) constexpr FlatPtr free_scrub_pattern = explode_byte(FREE_SCRUB_BYTE); constexpr FlatPtr kmalloc_scrub_pattern = explode_byte(KMALLOC_SCRUB_BYTE); constexpr FlatPtr kfree_scrub_pattern = explode_byte(KFREE_SCRUB_BYTE); - if ((fault_address & 0xffff0000) == (malloc_scrub_pattern & 0xffff0000)) { + if (response == PageFaultResponse::BusError) { + dbgln("Note: Address {} is an access to an undefined memory range of an Inode-backed VMObject", VirtualAddress(fault_address)); + } else if ((fault_address & 0xffff0000) == (malloc_scrub_pattern & 0xffff0000)) { dbgln("Note: Address {} looks like it may be uninitialized malloc() memory", VirtualAddress(fault_address)); } else if ((fault_address & 0xffff0000) == (free_scrub_pattern & 0xffff0000)) { dbgln("Note: Address {} looks like it may be recently free()'d memory", VirtualAddress(fault_address)); @@ -390,6 +397,8 @@ void page_fault_handler(TrapFrame* trap) } } + if (response == PageFaultResponse::BusError) + return handle_crash(regs, "Page Fault (Bus Error)", SIGBUS, false); return handle_crash(regs, "Page Fault", SIGSEGV, response == PageFaultResponse::OutOfMemory); } else if (response == PageFaultResponse::Continue) { dbgln_if(PAGE_FAULT_DEBUG, "Continuing after resolved page fault"); diff --git a/Kernel/Memory/PageFaultResponse.h b/Kernel/Memory/PageFaultResponse.h index 56297f6268..0a5c473230 100644 --- a/Kernel/Memory/PageFaultResponse.h +++ b/Kernel/Memory/PageFaultResponse.h @@ -10,6 +10,7 @@ namespace Kernel { enum class PageFaultResponse { ShouldCrash, + BusError, OutOfMemory, Continue, }; diff --git a/Kernel/Memory/Region.cpp b/Kernel/Memory/Region.cpp index a5ecc22fe6..ea042596a8 100644 --- a/Kernel/Memory/Region.cpp +++ b/Kernel/Memory/Region.cpp @@ -501,6 +501,11 @@ PageFaultResponse Region::handle_inode_fault(size_t page_index_in_region) } auto nread = result.value(); + // Note: If we received 0, it means we are at the end of file or after it, + // which means we should return bus error. + if (nread == 0) + return PageFaultResponse::BusError; + if (nread < PAGE_SIZE) { // If we read less than a page, zero out the rest to avoid leaking uninitialized data. memset(page_buffer + nread, 0, PAGE_SIZE - nread);