From 40159186c1518705629158e40eccf41e696841c6 Mon Sep 17 00:00:00 2001 From: Idan Horowitz Date: Thu, 13 Jan 2022 01:17:15 +0200 Subject: [PATCH] Kernel: Remove String use-after-free in generate_auxiliary_vector Instead we generate the random bytes directly in make_userspace_context_for_main_thread if requested. --- Kernel/Syscalls/execve.cpp | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Kernel/Syscalls/execve.cpp b/Kernel/Syscalls/execve.cpp index a871a93c35b..55496cb3691 100644 --- a/Kernel/Syscalls/execve.cpp +++ b/Kernel/Syscalls/execve.cpp @@ -114,6 +114,12 @@ static ErrorOr make_userspace_context_for_main_thread([[maybe_unused]] push_string_on_new_stack(value.optional_string); value.auxv.a_un.a_ptr = (void*)new_sp; } + if (value.auxv.a_type == ELF::AuxiliaryValue::Random) { + u8 random_bytes[16] {}; + get_fast_random_bytes({ random_bytes, sizeof(random_bytes) }); + push_string_on_new_stack({ random_bytes, sizeof(random_bytes) }); + value.auxv.a_un.a_ptr = (void*)new_sp; + } } for (ssize_t i = auxiliary_values.size() - 1; i >= 0; --i) { @@ -655,10 +661,7 @@ static Vector generate_auxiliary_vector(FlatPtr load_base, // FIXME: Also take into account things like extended filesystem permissions? That's what linux does... auxv.append({ ELF::AuxiliaryValue::Secure, ((uid != euid) || (gid != egid)) ? 1 : 0 }); - char random_bytes[16] {}; - get_fast_random_bytes({ (u8*)random_bytes, sizeof(random_bytes) }); - - auxv.append({ ELF::AuxiliaryValue::Random, String(random_bytes, sizeof(random_bytes)) }); + auxv.append({ ELF::AuxiliaryValue::Random, nullptr }); auxv.append({ ELF::AuxiliaryValue::ExecFilename, executable_path });