system/serenity
system/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity synced 2024-10-17 13:22:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Kernel: Refuse excessively long iovec list, also in readv

Browse source 
This bug is a good example why copy-paste code should eventually be eliminated
from the code base: Apparently the code was copied from read.cpp before
c6027ed7cc, so the same bug got introduced here.

To recap: A malicious program can ask the Kernel to prepare sys-ing to
a huge amount of iovecs. The Kernel must first copy all the vector locations
into 'vecs', and before that allocates an arbitrary amount of memory:
    vecs.resize(iov_count);
This can cause Kernel memory exhaustion, triggered by any malicious userland
program.
This commit is contained in:
Ben Wiederhake 2021-02-15 21:06:18 +01:00 committed by Andreas Kling
parent fc2a4511ec
commit fbb85f9b2f
1 changed files with 3 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
Kernel/Syscalls/read.cpp
View file

@ -36,12 +36,9 @@ ssize_t Process::sys$readv(int fd, Userspace<const struct iovec*> iov, int iov_c
if (iov_count < 0)
return -EINVAL;
{
Checked checked_iov_count = sizeof(iovec);
checked_iov_count *= iov_count;
if (checked_iov_count.has_overflow())
return -EFAULT;
}
// Arbitrary pain threshold.
if (iov_count > (int)MiB)
return -EFAULT;
u64 total_length = 0;
Vector<iovec, 32> vecs;