Kernel: Fix integer overflow in KCOV_SETBUFSIZE ioctl

Author: https://github.com/HerrSpace Commit: https://github.com/SerenityOS/serenity/commit/d5fdb97a812 Pull-request: https://github.com/SerenityOS/serenity/pull/9029
2024-12-30 22:54:35 +03:00 · 2021-07-26 21:44:49 +02:00 · 2021-07-26 21:44:49 +02:00 · d5fdb97a81 · 2024-07-18 08:17:24 +09:00
commit d5fdb97a81
parent 4857943a71
2 changed files with 4 additions and 0 deletions
--- a/Kernel/Devices/KCOVInstance.cpp
+++ b/Kernel/Devices/KCOVInstance.cpp
@ -17,6 +17,9 @@ KCOVInstance::KCOVInstance(ProcessID pid)

 KResult KCOVInstance::buffer_allocate(size_t buffer_size_in_entries)
 {
+    if (buffer_size_in_entries < 2 || buffer_size_in_entries > KCOV_MAX_ENTRIES)
+        return EINVAL;
+
    // first entry contains index of last PC
    this->m_buffer_size_in_entries = buffer_size_in_entries - 1;
    this->m_buffer_size_in_bytes = page_round_up(buffer_size_in_entries * KCOV_ENTRY_SIZE);
--- a/Kernel/Devices/KCOVInstance.h
+++ b/Kernel/Devices/KCOVInstance.h
@ -14,6 +14,7 @@ namespace Kernel {
 // Note: These need to be kept in sync with Userland/Libraries/LibC/sys/kcov.h
 typedef volatile u64 kcov_pc_t;
 #define KCOV_ENTRY_SIZE sizeof(kcov_pc_t)
+#define KCOV_MAX_ENTRIES (10 * 1024 * 1024)

 /*
 * One KCOVInstance is allocated per process, when the process opens /dev/kcov