LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-09-21 10:19:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

Kernel: Refuse excessively long iovec list

Browse Source 
If a program attempts to write from more than a million different locations,
there is likely shenaniganery afoot! Refuse to write to prevent kmem exhaustion.

Found by fuzz-syscalls. Can be reproduced by running this in the Shell:

    $ syscall writev 1 [ 0 ] 0x08000000
This commit is contained in:
Ben Wiederhake 2021-02-11 20:38:39 +01:00 committed by Andreas Kling
parent 987b7f7917
commit c6027ed7cc
Notes: sideshowbarker 2024-07-18 22:22:59 +09:00 
Author: https://github.com/BenWiederhake
Commit: https://github.com/SerenityOS/serenity/commit/c6027ed7cce
Pull-request: https://github.com/SerenityOS/serenity/pull/5294
1 changed files with 3 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Kernel/Syscalls/write.cpp
View File

@ -37,12 +37,9 @@ ssize_t Process::sys$writev(int fd, Userspace<const struct iovec*> iov, int iov_
if (iov_count < 0)
return -EINVAL;
{
Checked checked_iov_count = sizeof(iovec);
checked_iov_count *= iov_count;
if (checked_iov_count.has_overflow())
return -EFAULT;
}
// Arbitrary pain threshold.
if (iov_count > (int)MiB)
return -EFAULT;
u64 total_length = 0;
Vector<iovec, 32> vecs;