1
0

fixed vulnerability (kernel memory rewrite) in sysfn 4

git-svn-id: svn://kolibrios.org@8715 a494cfbc-eb01-0410-851d-a64ba20cac60
This commit is contained in:
Doczom 2021-05-09 14:17:55 +00:00
parent 5376120685
commit c080568a52

View File

@ -4441,6 +4441,15 @@ sys_putimage_palette:
; esi = number of bits per pixel, must be 8, 24 or 32 ; esi = number of bits per pixel, must be 8, 24 or 32
; edi = pointer to palette ; edi = pointer to palette
; ebp = row delta ; ebp = row delta
; check pointer
push ecx
mov ax, cx
shr ecx, 16
imul eax, ecx
stdcall is_region_userspace, ebx, eax
pop ecx
jz sys_putimage.exit
mov eax, [CURRENT_TASK] mov eax, [CURRENT_TASK]
shl eax, 8 shl eax, 8
add dx, word [eax+SLOT_BASE+APPDATA.wnd_clientbox.top] add dx, word [eax+SLOT_BASE+APPDATA.wnd_clientbox.top]
@ -5193,6 +5202,9 @@ align 4
syscall_writetext: ; WriteText syscall_writetext: ; WriteText
stdcall is_region_userspace, edx, esi
jz .err
mov eax, [TASK_BASE] mov eax, [TASK_BASE]
mov ebp, [eax-twdw+WDATA.box.left] mov ebp, [eax-twdw+WDATA.box.left]
push esi push esi
@ -5209,10 +5221,17 @@ align 4
@@: @@:
mov eax, edi mov eax, edi
test ecx, 0x08000000 ; redirect the output to the user area test ecx, 0x08000000 ; redirect the output to the user area
jnz dtext jnz @f
xor edi, edi xor edi, edi
jmp dtext jmp dtext
@@: ; check pointer
stdcall is_region_userspace, edi, 0
jz .err
jmp dtext
.err:
ret
align 4 align 4
syscall_drawrect: ; DrawRect syscall_drawrect: ; DrawRect