From 7f4ba4d3e14e3e613569016b00b2788bc551106b Mon Sep 17 00:00:00 2001 From: "Rustem Gimadutdinov (rgimad)" Date: Sat, 24 Apr 2021 21:16:55 +0000 Subject: [PATCH] fixed multiple vulnerabilities in sysfn70 caused by absence of user addresses check git-svn-id: svn://kolibrios.org@8680 a494cfbc-eb01-0410-851d-a64ba20cac60 --- kernel/trunk/core/dll.inc | 7 ++- kernel/trunk/core/syscall.inc | 4 +- kernel/trunk/fs/fs_lfn.inc | 87 +++++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+), 3 deletions(-) diff --git a/kernel/trunk/core/dll.inc b/kernel/trunk/core/dll.inc index 73cbae6525..527cb24a1c 100644 --- a/kernel/trunk/core/dll.inc +++ b/kernel/trunk/core/dll.inc @@ -385,7 +385,12 @@ proc get_fileinfo stdcall, file_name:dword, info:dword mov eax, 70 lea ebx, [cmd] - int 0x40 + pushad + cld + call protect_from_terminate + call file_system_lfn + call unprotect_from_terminate + popad ret endp diff --git a/kernel/trunk/core/syscall.inc b/kernel/trunk/core/syscall.inc index d78bd2516b..8cb07f67cc 100644 --- a/kernel/trunk/core/syscall.inc +++ b/kernel/trunk/core/syscall.inc @@ -168,7 +168,7 @@ iglobal dd syscall_move_window ; 67-Window move or resize dd f68 ; 68-Some internal services dd sys_debug_services ; 69-Debug - dd file_system_lfn ; 70-Common file system interface, version 2 + dd syscall_file_system_lfn ; 70-Common file system interface, version 2 dd syscall_window_settings ; 71-Window settings dd sys_sendwindowmsg ; 72-Send window message dd blit_32 ; 73-blitter; @@ -178,7 +178,7 @@ iglobal dd sys_posix ; posix support dd undefined_syscall ; 78-free dd undefined_syscall ; 79-free - dd fileSystemUnicode ; 80-File system interface for different encodings + dd syscall_fileSystemUnicode ; 80-File system interface for different encodings times 255 - ( ($-servetable2) /4 ) dd undefined_syscall dd sys_end ; -1-end application diff --git a/kernel/trunk/fs/fs_lfn.inc b/kernel/trunk/fs/fs_lfn.inc index a866c7d351..8b3d414cb4 100644 --- a/kernel/trunk/fs/fs_lfn.inc +++ b/kernel/trunk/fs/fs_lfn.inc @@ -26,6 +26,93 @@ maxPathLength = 1000h image_of_eax EQU esp+32 image_of_ebx EQU esp+20 +; System function 70 security check +align 4 +proc file_system_is_operation_safe stdcall, inf_struct_ptr: dword +; in: +; inf_struct_ptr = pointer to information structure was given to sysfn70 +; out: ZF = 1 if operation is safe +; ZF = 0 if operation can cause kernel crash + push ebx ecx edx + xor ecx, ecx ; ecx - length of target buffer + + mov ebx, [inf_struct_ptr] + mov edx, [ebx + 16] ; base of target buffer + + cmp dword [ebx], 0 ; if 70.0 + jnz .case1 + mov ecx, dword [ebx + 12] + jmp .end_switch + +.case1: + cmp dword [ebx], 1 ; if 70.1 + jnz .case2_3 + ;mov ecx, 32 + cmp dword [ebx + 8], 1 ; check encoding + jbe .case1_304 ; if encdoing <= 1 i.e cpp866 + mov ecx, 560 ; if unicode then bdvk block len is 560 bytes + jmp .case1_end +.case1_304: + mov ecx, 304 ; if cp866 then bdvk block len is 304 bytes +.case1_end: + imul ecx, dword [ebx + 12] ; multiply bdvk length by their count + add ecx, 32 ; add result header len + jmp .end_switch + +.case2_3: + cmp dword [ebx], 3 + ja .case5 ; if subfn > 3 + mov ecx, dword [ebx + 12] + jmp .end_switch + +.case5: + cmp dword [ebx], 5 + jnz .case6 + mov ecx, 40 + jmp .end_switch + +.case6: + cmp dword [ebx], 6 + jnz .switch_none + mov ecx, 32 + jmp .end_switch + +.switch_none: + mov ecx, 1 + test ecx, ecx + jmp .ret + +.end_switch: + ;; + stdcall is_region_userspace, edx, ecx +.ret: + pop edx ecx ebx + ret +endp + +syscall_fileSystemUnicode: +; in: ebx -> f.80 parameter structure + stdcall file_system_is_operation_safe, ebx + jnz @f + + DEBUGF 1, "sysfn80 addr error\n" + mov dword [image_of_eax], ERROR_MEMORY_POINTER + ret +@@: + jmp fileSystemUnicode + +syscall_file_system_lfn: +; in: ebx -> f.70 parameter structure + stdcall file_system_is_operation_safe, ebx + jnz @f + + DEBUGF 1, "sysfn70 addr error\n" + mov dword [image_of_eax], ERROR_MEMORY_POINTER + ret +@@: + jmp file_system_lfn + + ; System function 70 file_system_lfn_protected: