Kernel: apply security patch for 70 function(by Rgimad). Thanks Dunkaist for the corrections.

git-svn-id: svn://kolibrios.org@9698 a494cfbc-eb01-0410-851d-a64ba20cac60
This commit is contained in:
turbocat 2022-02-07 21:07:07 +00:00
parent 5b5a240f91
commit dac27e480b
2 changed files with 77 additions and 86 deletions

View File

@ -168,7 +168,7 @@ iglobal
dd syscall_move_window ; 67-Window move or resize
dd f68 ; 68-Some internal services
dd sys_debug_services ; 69-Debug
dd file_system_lfn ; 70-Common file system interface, version 2
dd sys_file_system_lfn ; 70-Common file system interface, version 2
dd syscall_window_settings ; 71-Window settings
dd sys_sendwindowmsg ; 72-Send window message
dd blit_32 ; 73-blitter;
@ -178,7 +178,7 @@ iglobal
dd sys_posix ; posix support
dd undefined_syscall ; 78-free
dd undefined_syscall ; 79-free
dd fileSystemUnicode ; 80-File system interface for different encodings
dd sys_fileSystemUnicode ; 80-File system interface for different encodings
times 255 - ( ($-servetable2) /4 ) dd undefined_syscall
dd sys_end ; -1-end application

View File

@ -25,99 +25,90 @@ maxPathLength = 1000h
image_of_eax EQU esp+32
image_of_ebx EQU esp+20
; ; System function 70 security check
; align 4
; proc file_system_is_operation_safe stdcall, inf_struct_ptr: dword
; ; in:
; ; inf_struct_ptr = pointer to information structure was given to sysfn70
; ; out: ZF = 1 if operation is safe
; ; ZF = 0 if operation can cause kernel crash
; push ebx ecx edx
; xor ecx, ecx ; ecx - length of target buffer
; System function 70 security check
align 4
proc file_system_is_operation_safe stdcall, inf_struct_ptr: dword
; in:
; inf_struct_ptr = pointer to information structure was given to sysfn70
; out: ZF = 1 if operation is safe
; ZF = 0 if operation can cause kernel crash
push ebx ecx edx
xor ecx, ecx ; ecx - length of target buffer
; mov ebx, [inf_struct_ptr]
; mov edx, [ebx + 16] ; base of target buffer
mov ebx, [inf_struct_ptr]
mov edx, [ebx + 16] ; base of target buffer
; cmp dword [ebx], 0 ; if 70.0
; jnz .case1
; mov ecx, dword [ebx + 12]
; jmp .end_switch
cmp dword [ebx], 0 ; if 70.0
jnz .case1
mov ecx, dword [ebx + 12]
jmp .end_switch
; .case1:
; cmp dword [ebx], 1 ; if 70.1
; jnz .case2_3
; ;mov ecx, 32
; cmp dword [ebx + 8], 1 ; check encoding
; jbe .case1_304 ; if encdoing <= 1 i.e cpp866
; mov ecx, 560 ; if unicode then bdvk block len is 560 bytes
; jmp .case1_end
; .case1_304:
; mov ecx, 304 ; if cp866 then bdvk block len is 304 bytes
; .case1_end:
; imul ecx, dword [ebx + 12] ; multiply bdvk length by their count
; add ecx, 32 ; add result header len
; jmp .end_switch
; .case2_3:
; cmp dword [ebx], 3
; ja .case5 ; if subfn > 3
; mov ecx, dword [ebx + 12]
; jmp .end_switch
; .case5:
; cmp dword [ebx], 5
; jnz .case6
; mov ecx, 40
; jmp .end_switch
; .case6:
; cmp dword [ebx], 6
; jnz .switch_none
.case1:
cmp dword [ebx], 1 ; if 70.1
jnz .case2_3
;mov ecx, 32
; jmp .end_switch
cmp dword [ebx + 8], 1 ; check encoding
jbe .case1_304 ; if encdoing <= 1 i.e cpp866
mov ecx, 560 ; if unicode then bdvk block len is 560 bytes
jmp .case1_end
.case1_304:
mov ecx, 304 ; if cp866 then bdvk block len is 304 bytes
.case1_end:
imul ecx, dword [ebx + 12] ; multiply bdvk length by their count
add ecx, 32 ; add result header len
jmp .end_switch
; .switch_none:
; mov ecx, 1
; test ecx, ecx
; jmp .ret
.case2_3:
cmp dword [ebx], 3
ja .case5 ; if subfn > 3
mov ecx, dword [ebx + 12]
jmp .end_switch
; .end_switch:
; ;;
; stdcall is_region_userspace, edx, ecx
; .ret:
; pop edx ecx ebx
; ret
; endp
.case5:
cmp dword [ebx], 5
jnz .case6
mov ecx, 40
jmp .end_switch
; syscall_fileSystemUnicode: ; with user pointer correctness checking
; ; in: ebx -> f.80 parameter structure
; stdcall file_system_is_operation_safe, ebx
; jz @f
.case6:
cmp dword [ebx], 6
jnz .switch_none
mov ecx, 32
jmp .end_switch
; DEBUGF 1, "sysfn80 addr error\n"
; mov dword [image_of_eax], ERROR_MEMORY_POINTER
; ret
; @@:
; jmp fileSystemUnicode
.switch_none:
cmp ecx, ecx
jmp .ret
; temporarily commented out cause acpi driver (drivers/devman) uses sysfn70 via 0x40
; so because drivers it kernel space, pointer checking fails
; TODO solution: add filesystem functions without pointer checking to kernel exports
; and make the driver use them, not int 0x40
; syscall_fileSystemUnicode commented out for the same reason
; syscall_file_system_lfn: ; with user pointer correctness checking
; ; in: ebx -> f.70 parameter structure
; stdcall file_system_is_operation_safe, ebx
; jz @f
.end_switch:
stdcall is_region_userspace, edx, ecx
.ret:
pop edx ecx ebx
ret
endp
; DEBUGF 1, "sysfn70 addr error\n"
; mov dword [image_of_eax], ERROR_MEMORY_POINTER
; ret
; @@:
; jmp file_system_lfn
sys_fileSystemUnicode: ; with user pointer correctness checking
; in: ebx -> f.80 parameter structure
stdcall file_system_is_operation_safe, ebx
jz @f
DEBUGF 1, "sysfn80 addr error\n"
mov dword [image_of_eax], ERROR_MEMORY_POINTER
ret
@@:
jmp fileSystemUnicode
;System function 70
sys_file_system_lfn: ; with user pointer correctness checking
; in: ebx -> f.70 parameter structure
stdcall file_system_is_operation_safe, ebx
jz @f
DEBUGF 1, "sysfn70 addr error\n"
mov dword [image_of_eax], ERROR_MEMORY_POINTER
ret
@@:
jmp file_system_lfn
;file_system_lfn_protected returns values not in registers, but in their images
;on stack. Make a short wrapper to actually return values in registers.