LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-09-11 13:36:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

Kernel: Don't dereference untrusted userspace pointer in sys$uname()

Browse Source 
Instead of writing to the userspace utsname struct one field at a time,
build up a utsname on the kernel stack and copy it out to userspace
once it's finished. This is both simpler and gets validity checking
built-in for free.

Found by KUBSAN! :^)

Fixes #5499.
This commit is contained in:
Andreas Kling 2021-02-24 14:33:50 +01:00
parent 99cd0d3ffb
commit a48d54dfc5
Notes: sideshowbarker 2024-07-18 21:57:42 +09:00 
Author: https://github.com/awesomekling
Commit: https://github.com/SerenityOS/serenity/commit/a48d54dfc5a
1 changed files with 8 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Kernel/Syscalls/uname.cpp
View File

@ -39,18 +39,14 @@ int Process::sys$uname(Userspace<utsname*> buf)
if (g_hostname->length() + 1 > sizeof(utsname::nodename))
return -ENAMETOOLONG;
// We have already validated the entire utsname struct at this
// point, there is no need to re-validate every write to the struct.
utsname* user_buf = buf.unsafe_userspace_ptr();
if (!copy_to_user(user_buf->sysname, "SerenityOS", 11))
return -EFAULT;
if (!copy_to_user(user_buf->release, "1.0-dev", 8))
return -EFAULT;
if (!copy_to_user(user_buf->version, "FIXME", 6))
return -EFAULT;
if (!copy_to_user(user_buf->machine, "i686", 5))
return -EFAULT;
if (!copy_to_user(user_buf->nodename, g_hostname->characters(), g_hostname->length() + 1))
utsname buf {};
memcpy(buf.sysname, "SerenityOS", 11);
memcpy(buf.release, "1.0-dev", 8);
memcpy(buf.version, "FIXME", 6);
memcpy(buf.machine, "i686", 5);
memcpy(buf.nodename, g_hostname->characters(), g_hostname->length() + 1);
if (!copy_to_user(user_buf, &buf))
return -EFAULT;
return 0;
}