mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-09-21 10:19:03 +03:00
Kernel: Refuse excessively long iovec list
If a program attempts to write from more than a million different locations, there is likely shenaniganery afoot! Refuse to write to prevent kmem exhaustion. Found by fuzz-syscalls. Can be reproduced by running this in the Shell: $ syscall writev 1 [ 0 ] 0x08000000
This commit is contained in:
parent
987b7f7917
commit
c6027ed7cc
Notes:
sideshowbarker
2024-07-18 22:22:59 +09:00
Author: https://github.com/BenWiederhake Commit: https://github.com/SerenityOS/serenity/commit/c6027ed7cce Pull-request: https://github.com/SerenityOS/serenity/pull/5294
@ -37,12 +37,9 @@ ssize_t Process::sys$writev(int fd, Userspace<const struct iovec*> iov, int iov_
|
||||
if (iov_count < 0)
|
||||
return -EINVAL;
|
||||
|
||||
{
|
||||
Checked checked_iov_count = sizeof(iovec);
|
||||
checked_iov_count *= iov_count;
|
||||
if (checked_iov_count.has_overflow())
|
||||
return -EFAULT;
|
||||
}
|
||||
// Arbitrary pain threshold.
|
||||
if (iov_count > (int)MiB)
|
||||
return -EFAULT;
|
||||
|
||||
u64 total_length = 0;
|
||||
Vector<iovec, 32> vecs;
|
||||
|
Loading…
Reference in New Issue
Block a user