forked from KolibriOS/kolibrios
Fix vulnerabilitie in sysfn 74.1 (add sanity check for user buffer), now user applications can't corrupt kernel memory via invalid buffer address
git-svn-id: svn://kolibrios.org@8700 a494cfbc-eb01-0410-851d-a64ba20cac60
This commit is contained in:
parent
35ba6d8562
commit
b91122a57b
@ -760,7 +760,12 @@ sys_network:
|
|||||||
ret
|
ret
|
||||||
|
|
||||||
.get_dev_name:
|
.get_dev_name:
|
||||||
mov esi, [eax + NET_DEVICE.name]
|
; { Patch by Coldy, sanity check
|
||||||
|
mov ebx, eax ; eax will used for is_region_userspace return
|
||||||
|
stdcall is_region_userspace, ecx, 64
|
||||||
|
jz .bad_buffer
|
||||||
|
mov esi, [ebx + NET_DEVICE.name] ;mov esi, [eax + NET_DEVICE.name]
|
||||||
|
; } End patch by Coldy, sanity check
|
||||||
mov edi, ecx
|
mov edi, ecx
|
||||||
|
|
||||||
mov ecx, 64/4 ; max length
|
mov ecx, 64/4 ; max length
|
||||||
@ -822,6 +827,7 @@ sys_network:
|
|||||||
|
|
||||||
|
|
||||||
.doesnt_exist:
|
.doesnt_exist:
|
||||||
|
.bad_buffer: ; Sanity check failed, exit
|
||||||
mov dword[esp+32], -1
|
mov dword[esp+32], -1
|
||||||
ret
|
ret
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user