Burer/kolibrios
1
0
Fork 0
forked from KolibriOS/kolibrios
Code Pull Requests Activity

taskman.inc: fixed two vulnerabilities which caused kernel memory corruption on attempt to run apps with illegal addresses in MENUET0x header

Browse Source 
git-svn-id: svn://kolibrios.org@8593 a494cfbc-eb01-0410-851d-a64ba20cac60
This commit is contained in:
Rustem Gimadutdinov (rgimad) 2021-02-14 13:21:22 +00:00
parent 1351c15bd0
commit c39db73416
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
kernel/trunk/core/taskman.inc
View File

@ -82,7 +82,7 @@ proc fs_execute
locals locals
cmdline rd 1 cmdline rd 1
flags rd 1 flags rd 1
slot rd 1 ; number of new thread slot slot rd 1 ; index of new thread slot
slot_base rd 1 ; base address of it slot_base rd 1 ; base address of it
; app header data ; app header data
hdr_cmdline rd 1 hdr_cmdline rd 1
@ -112,7 +112,7 @@ proc fs_execute
mov [file_base], eax mov [file_base], eax
mov [file_size], ebx mov [file_size], ebx
lea ebx, [hdr_cmdline] lea ebx, [hdr_cmdline]
call test_app_header ; fill our app header data locals with values from given application header (if its correct) call test_app_header ; fill our app header data locals with values from header of given program (if its correct)
mov esi, -0x1F mov esi, -0x1F
test eax, eax test eax, eax
jz .err_hdr jz .err_hdr
@ -846,6 +846,8 @@ common_app_entry:
push esi push esi
test edi, edi test edi, edi
jz @f jz @f
stdcall is_region_userspace, edi, [ebp+APP_HDR.filename_size]
jz @f
mov al, '/' mov al, '/'
stosb stosb
rep movsb rep movsb
@ -871,6 +873,10 @@ common_app_entry:
@@: @@:
mov [APP_HEADER_01_.i_param], edi mov [APP_HEADER_01_.i_param], edi
.copy_cmdline: .copy_cmdline:
inc ecx ; keep in mind about 0 in the end
stdcall is_region_userspace, edi, ecx
jz .check_tls_header
dec ecx
rep movsb rep movsb
mov byte [edi], 0 mov byte [edi], 0
.check_tls_header: .check_tls_header: