From b6f769987ce1e0a0a7abf6f0ad4877f4f88e8431 Mon Sep 17 00:00:00 2001 From: Ivan Baravy Date: Fri, 9 Jul 2021 09:22:44 +0000 Subject: [PATCH] kernel: Check for base+len overflow in is_region_userspace git-svn-id: svn://kolibrios.org@9045 a494cfbc-eb01-0410-851d-a64ba20cac60 --- kernel/trunk/blkdev/disk.inc | 2 +- kernel/trunk/core/clipboard.inc | 2 +- kernel/trunk/core/taskman.inc | 4 +-- kernel/trunk/fs/fs_lfn.inc | 6 ++--- kernel/trunk/gui/window.inc | 4 +-- kernel/trunk/kernel.asm | 47 +++++++++++++++------------------ kernel/trunk/network/stack.inc | 2 +- 7 files changed, 32 insertions(+), 35 deletions(-) diff --git a/kernel/trunk/blkdev/disk.inc b/kernel/trunk/blkdev/disk.inc index 5771eab7eb..16d0c9ba68 100644 --- a/kernel/trunk/blkdev/disk.inc +++ b/kernel/trunk/blkdev/disk.inc @@ -1310,7 +1310,7 @@ proc default_fs_get_file_info uses edi mov ebx, [ebx+f70s5arg.buf] stdcall is_region_userspace, ebx, ecx movi eax, ERROR_MEMORY_POINTER - jz .done + jnz .done mov edi, ebx xor eax, eax rep stosb diff --git a/kernel/trunk/core/clipboard.inc b/kernel/trunk/core/clipboard.inc index 99f1fa4aca..ffb70abbe3 100644 --- a/kernel/trunk/core/clipboard.inc +++ b/kernel/trunk/core/clipboard.inc @@ -52,7 +52,7 @@ align 4 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; stdcall is_region_userspace, edx, ecx - jnz @f + jz @f mov eax, -1 jmp .exit_1 @@: diff --git a/kernel/trunk/core/taskman.inc b/kernel/trunk/core/taskman.inc index c891381196..dcd02d4301 100644 --- a/kernel/trunk/core/taskman.inc +++ b/kernel/trunk/core/taskman.inc @@ -812,7 +812,7 @@ common_app_entry: test edi, edi jz @f stdcall is_region_userspace, edi, [ebp+APP_HDR.filename_size] - jz @f + jnz @f mov al, '/' stosb rep movsb @@ -840,7 +840,7 @@ common_app_entry: .copy_cmdline: inc ecx ; keep in mind about 0 in the end stdcall is_region_userspace, edi, ecx - jz .check_tls_header + jnz .check_tls_header dec ecx rep movsb mov byte [edi], 0 diff --git a/kernel/trunk/fs/fs_lfn.inc b/kernel/trunk/fs/fs_lfn.inc index 78d7a9e829..298939f6e9 100644 --- a/kernel/trunk/fs/fs_lfn.inc +++ b/kernel/trunk/fs/fs_lfn.inc @@ -92,7 +92,7 @@ image_of_ebx EQU esp+20 ; syscall_fileSystemUnicode: ; with user pointer correctness checking ; ; in: ebx -> f.80 parameter structure ; stdcall file_system_is_operation_safe, ebx -; jnz @f +; jz @f ; DEBUGF 1, "sysfn80 addr error\n" ; mov dword [image_of_eax], ERROR_MEMORY_POINTER @@ -108,7 +108,7 @@ image_of_ebx EQU esp+20 ; syscall_file_system_lfn: ; with user pointer correctness checking ; ; in: ebx -> f.70 parameter structure ; stdcall file_system_is_operation_safe, ebx -; jnz @f +; jz @f ; DEBUGF 1, "sysfn70 addr error\n" ; mov dword [image_of_eax], ERROR_MEMORY_POINTER @@ -550,7 +550,7 @@ sys_current_directory: ; sysfunction 30 .get: ; in: ecx -> buffer, edx = length, eax = encoding stdcall is_region_userspace, ecx, edx - jnz @f + jz @f ; if illegal buffer given xor edx, edx diff --git a/kernel/trunk/gui/window.inc b/kernel/trunk/gui/window.inc index 6b1e7e19b0..ce1bd7fdca 100644 --- a/kernel/trunk/gui/window.inc +++ b/kernel/trunk/gui/window.inc @@ -130,7 +130,7 @@ dd .setSkinUnicode mov edx, 192 ; max size @@: stdcall is_region_userspace, esi, edx ; - jnz @f ; + jz @f ; ret ; @@: mov edi, common_colours @@ -147,7 +147,7 @@ dd .setSkinUnicode mov edx, 192 ; max size @@: stdcall is_region_userspace, edi, edx - jnz @f + jz @f ret @@: mov esi, common_colours diff --git a/kernel/trunk/kernel.asm b/kernel/trunk/kernel.asm index cab36f16b7..d055f15959 100644 --- a/kernel/trunk/kernel.asm +++ b/kernel/trunk/kernel.asm @@ -1419,13 +1419,13 @@ display_number: test bl, bl jz @f stdcall is_region_userspace, ecx, 1 - jnz @f + jz @f ret @@: test esi, 0x08000000 jz @f stdcall is_region_userspace, edi, 1 - jnz @f + jz @f ret @@: ;It is not optimization @@ -1767,7 +1767,7 @@ sys_getsetup: ; if given memory address belongs to kernel then error stdcall is_region_userspace, ebx, 128 - jz .addr_error + jnz .addr_error mov eax, keymap mov ecx, 128 @@ -1780,7 +1780,7 @@ sys_getsetup: jnz .alt stdcall is_region_userspace, ebx, 128 - jz .addr_error + jnz .addr_error mov eax, keymap_shift mov ecx, 128 @@ -1793,7 +1793,7 @@ sys_getsetup: jne .country stdcall is_region_userspace, ebx, 128 - jz .addr_error + jnz .addr_error mov eax, keymap_alt mov ecx, 128 @@ -2459,7 +2459,7 @@ sysfn_getdiskinfo: ; 18.11 = get disk info table jnz .exit .small_table: stdcall is_region_userspace, edx, DRIVE_DATA_SIZE - jz .exit + jnz .exit mov edi, edx mov esi, DRIVE_DATA mov ecx, DRIVE_DATA_SIZE ;10 @@ -2475,7 +2475,7 @@ sysfn_lastkey: ; 18.12 = return 0 (backward compatibility) sysfn_getversion: ; 18.13 = get kernel ID and version ; if given memory address belongs to kernel then error stdcall is_region_userspace, ecx, version_end-version_inf - jz .addr_error + jnz .addr_error mov edi, ecx mov esi, version_inf @@ -2838,7 +2838,7 @@ nosb4: ; add check pointer stdcall is_region_userspace, ecx, esi - jz .fin + jnz .fin cmp [img_background], static_background_data jnz @f @@ -3191,7 +3191,7 @@ sys_cpuusage: ; ; if given memory address belongs to kernel then error stdcall is_region_userspace, ebx, 0x4C - jz .addr_error + jnz .addr_error cmp ecx, -1 ; who am I ? jne .no_who_am_i @@ -4401,7 +4401,7 @@ syscall_putimage: ; PutImage lea eax, [eax*3] stdcall is_region_userspace, ebx, eax pop ecx - jz sys_putimage.exit + jnz sys_putimage.exit sys_putimage: test ecx, 0x80008000 @@ -4451,7 +4451,7 @@ sys_putimage_palette: imul eax, ecx stdcall is_region_userspace, ebx, eax pop ecx - jz sys_putimage.exit + jnz sys_putimage.exit mov eax, [current_slot_idx] shl eax, 8 @@ -5206,7 +5206,7 @@ align 4 syscall_writetext: ; WriteText stdcall is_region_userspace, edx, esi - jz .err + jnz .err mov eax, [TASK_BASE] mov ebp, [eax-twdw+WDATA.box.left] @@ -5230,7 +5230,7 @@ align 4 @@: ; check pointer stdcall is_region_userspace, edi, 0 - jz .err + jnz .err jmp dtext .err: ret @@ -5403,7 +5403,7 @@ syscall_getarea: lea ebp, [ebp*3] imul ebp, esi stdcall is_region_userspace, edi, ebp - jz .exit + jnz .exit mov ebp, edx dec ebp @@ -5474,7 +5474,7 @@ syscall_putarea_backgr: lea ebp, [ebp*4] imul ebp, esi stdcall is_region_userspace, edi, ebp - jz .exit + jnz .exit mov ebp, edx @@ -5754,23 +5754,20 @@ align 4 ; @return ZF = 1 if region in userspace memory, ; ZF = 0 otherwise proc is_region_userspace stdcall, base:dword, len:dword - push eax ebx + push eax mov eax, [base] - cmp eax, OS_BASE - ja @f + cmp eax, OS_BASE-1 + ja @f ; zf add eax, [len] + jc @f ; zf cmp eax, OS_BASE - ja @f + ja @f ; zf - mov eax, 1 - jmp .ret + cmp eax, eax ; ZF @@: - xor eax, eax -.ret: - test eax, eax - pop ebx eax + pop eax ret endp diff --git a/kernel/trunk/network/stack.inc b/kernel/trunk/network/stack.inc index 77263b20ce..2c70f858d2 100644 --- a/kernel/trunk/network/stack.inc +++ b/kernel/trunk/network/stack.inc @@ -830,7 +830,7 @@ sys_network: .get_dev_name: mov ebx, eax stdcall is_region_userspace, ecx, 64 - jz .bad_buffer + jnz .bad_buffer mov esi, [ebx + NET_DEVICE.name] mov edi, ecx