From c39db734160a7cefc0c9b20fc04d4cab35931aa4 Mon Sep 17 00:00:00 2001 From: "Rustem Gimadutdinov (rgimad)" Date: Sun, 14 Feb 2021 13:21:22 +0000 Subject: [PATCH] taskman.inc: fixed two vulnerabilities which caused kernel memory corruption on attempt to run apps with illegal addresses in MENUET0x header git-svn-id: svn://kolibrios.org@8593 a494cfbc-eb01-0410-851d-a64ba20cac60 --- kernel/trunk/core/taskman.inc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/kernel/trunk/core/taskman.inc b/kernel/trunk/core/taskman.inc index 2156f697ff..b50620507b 100644 --- a/kernel/trunk/core/taskman.inc +++ b/kernel/trunk/core/taskman.inc @@ -82,7 +82,7 @@ proc fs_execute locals cmdline rd 1 flags rd 1 - slot rd 1 ; number of new thread slot + slot rd 1 ; index of new thread slot slot_base rd 1 ; base address of it ; app header data hdr_cmdline rd 1 @@ -112,7 +112,7 @@ proc fs_execute mov [file_base], eax mov [file_size], ebx lea ebx, [hdr_cmdline] - call test_app_header ; fill our app header data locals with values from given application header (if its correct) + call test_app_header ; fill our app header data locals with values from header of given program (if its correct) mov esi, -0x1F test eax, eax jz .err_hdr @@ -846,6 +846,8 @@ common_app_entry: push esi test edi, edi jz @f + stdcall is_region_userspace, edi, [ebp+APP_HDR.filename_size] + jz @f mov al, '/' stosb rep movsb @@ -871,6 +873,10 @@ common_app_entry: @@: mov [APP_HEADER_01_.i_param], edi .copy_cmdline: + inc ecx ; keep in mind about 0 in the end + stdcall is_region_userspace, edi, ecx + jz .check_tls_header + dec ecx rep movsb mov byte [edi], 0 .check_tls_header: