From d82e0a30b4672afb3641142f8235711bd5824d1a Mon Sep 17 00:00:00 2001 From: "Rustem Gimadutdinov (rgimad)" Date: Sun, 21 Feb 2021 09:59:47 +0000 Subject: [PATCH] fixed vulnerabilities in sysfn 18.11 and 36, now user applications cannot corrupt kernel memory via invalid buffer address git-svn-id: svn://kolibrios.org@8598 a494cfbc-eb01-0410-851d-a64ba20cac60 --- kernel/trunk/kernel.asm | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/kernel/trunk/kernel.asm b/kernel/trunk/kernel.asm index 774d682319..7e7d70e583 100644 --- a/kernel/trunk/kernel.asm +++ b/kernel/trunk/kernel.asm @@ -2439,6 +2439,8 @@ sysfn_getdiskinfo: ; 18.11 = get disk info table dec ecx jnz .exit .small_table: + stdcall is_region_userspace, edx, DRIVE_DATA_SIZE + jz .exit mov edi, edx mov esi, DRIVE_DATA mov ecx, DRIVE_DATA_SIZE ;10 @@ -5347,6 +5349,12 @@ syscall_getarea: mov esi, ecx ; ecx - size x, edx - size y + mov ebp, edx + lea ebp, [ebp*3] + imul ebp, esi + stdcall is_region_userspace, edi, ebp + jz .exit + mov ebp, edx dec ebp lea ebp, [ebp*3] @@ -5386,6 +5394,8 @@ align 4 dec ebx dec edx jnz .start_y + +.exit: popad ret ;-----------------------------------------------------------------------------