forked from KolibriOS/kolibrios
kernel: Check for base+len overflow in is_region_userspace
git-svn-id: svn://kolibrios.org@9045 a494cfbc-eb01-0410-851d-a64ba20cac60
This commit is contained in:
parent
34a4c12412
commit
b6f769987c
@ -1310,7 +1310,7 @@ proc default_fs_get_file_info uses edi
|
|||||||
mov ebx, [ebx+f70s5arg.buf]
|
mov ebx, [ebx+f70s5arg.buf]
|
||||||
stdcall is_region_userspace, ebx, ecx
|
stdcall is_region_userspace, ebx, ecx
|
||||||
movi eax, ERROR_MEMORY_POINTER
|
movi eax, ERROR_MEMORY_POINTER
|
||||||
jz .done
|
jnz .done
|
||||||
mov edi, ebx
|
mov edi, ebx
|
||||||
xor eax, eax
|
xor eax, eax
|
||||||
rep stosb
|
rep stosb
|
||||||
|
@ -52,7 +52,7 @@ align 4
|
|||||||
|
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
stdcall is_region_userspace, edx, ecx
|
stdcall is_region_userspace, edx, ecx
|
||||||
jnz @f
|
jz @f
|
||||||
mov eax, -1
|
mov eax, -1
|
||||||
jmp .exit_1
|
jmp .exit_1
|
||||||
@@:
|
@@:
|
||||||
|
@ -812,7 +812,7 @@ common_app_entry:
|
|||||||
test edi, edi
|
test edi, edi
|
||||||
jz @f
|
jz @f
|
||||||
stdcall is_region_userspace, edi, [ebp+APP_HDR.filename_size]
|
stdcall is_region_userspace, edi, [ebp+APP_HDR.filename_size]
|
||||||
jz @f
|
jnz @f
|
||||||
mov al, '/'
|
mov al, '/'
|
||||||
stosb
|
stosb
|
||||||
rep movsb
|
rep movsb
|
||||||
@ -840,7 +840,7 @@ common_app_entry:
|
|||||||
.copy_cmdline:
|
.copy_cmdline:
|
||||||
inc ecx ; keep in mind about 0 in the end
|
inc ecx ; keep in mind about 0 in the end
|
||||||
stdcall is_region_userspace, edi, ecx
|
stdcall is_region_userspace, edi, ecx
|
||||||
jz .check_tls_header
|
jnz .check_tls_header
|
||||||
dec ecx
|
dec ecx
|
||||||
rep movsb
|
rep movsb
|
||||||
mov byte [edi], 0
|
mov byte [edi], 0
|
||||||
|
@ -92,7 +92,7 @@ image_of_ebx EQU esp+20
|
|||||||
; syscall_fileSystemUnicode: ; with user pointer correctness checking
|
; syscall_fileSystemUnicode: ; with user pointer correctness checking
|
||||||
; ; in: ebx -> f.80 parameter structure
|
; ; in: ebx -> f.80 parameter structure
|
||||||
; stdcall file_system_is_operation_safe, ebx
|
; stdcall file_system_is_operation_safe, ebx
|
||||||
; jnz @f
|
; jz @f
|
||||||
|
|
||||||
; DEBUGF 1, "sysfn80 addr error\n"
|
; DEBUGF 1, "sysfn80 addr error\n"
|
||||||
; mov dword [image_of_eax], ERROR_MEMORY_POINTER
|
; mov dword [image_of_eax], ERROR_MEMORY_POINTER
|
||||||
@ -108,7 +108,7 @@ image_of_ebx EQU esp+20
|
|||||||
; syscall_file_system_lfn: ; with user pointer correctness checking
|
; syscall_file_system_lfn: ; with user pointer correctness checking
|
||||||
; ; in: ebx -> f.70 parameter structure
|
; ; in: ebx -> f.70 parameter structure
|
||||||
; stdcall file_system_is_operation_safe, ebx
|
; stdcall file_system_is_operation_safe, ebx
|
||||||
; jnz @f
|
; jz @f
|
||||||
|
|
||||||
; DEBUGF 1, "sysfn70 addr error\n"
|
; DEBUGF 1, "sysfn70 addr error\n"
|
||||||
; mov dword [image_of_eax], ERROR_MEMORY_POINTER
|
; mov dword [image_of_eax], ERROR_MEMORY_POINTER
|
||||||
@ -550,7 +550,7 @@ sys_current_directory: ; sysfunction 30
|
|||||||
.get:
|
.get:
|
||||||
; in: ecx -> buffer, edx = length, eax = encoding
|
; in: ecx -> buffer, edx = length, eax = encoding
|
||||||
stdcall is_region_userspace, ecx, edx
|
stdcall is_region_userspace, ecx, edx
|
||||||
jnz @f
|
jz @f
|
||||||
|
|
||||||
; if illegal buffer given
|
; if illegal buffer given
|
||||||
xor edx, edx
|
xor edx, edx
|
||||||
|
@ -130,7 +130,7 @@ dd .setSkinUnicode
|
|||||||
mov edx, 192 ; max size
|
mov edx, 192 ; max size
|
||||||
@@:
|
@@:
|
||||||
stdcall is_region_userspace, esi, edx ;
|
stdcall is_region_userspace, esi, edx ;
|
||||||
jnz @f ;
|
jz @f ;
|
||||||
ret ;
|
ret ;
|
||||||
@@:
|
@@:
|
||||||
mov edi, common_colours
|
mov edi, common_colours
|
||||||
@ -147,7 +147,7 @@ dd .setSkinUnicode
|
|||||||
mov edx, 192 ; max size
|
mov edx, 192 ; max size
|
||||||
@@:
|
@@:
|
||||||
stdcall is_region_userspace, edi, edx
|
stdcall is_region_userspace, edi, edx
|
||||||
jnz @f
|
jz @f
|
||||||
ret
|
ret
|
||||||
@@:
|
@@:
|
||||||
mov esi, common_colours
|
mov esi, common_colours
|
||||||
|
@ -1419,13 +1419,13 @@ display_number:
|
|||||||
test bl, bl
|
test bl, bl
|
||||||
jz @f
|
jz @f
|
||||||
stdcall is_region_userspace, ecx, 1
|
stdcall is_region_userspace, ecx, 1
|
||||||
jnz @f
|
jz @f
|
||||||
ret
|
ret
|
||||||
@@:
|
@@:
|
||||||
test esi, 0x08000000
|
test esi, 0x08000000
|
||||||
jz @f
|
jz @f
|
||||||
stdcall is_region_userspace, edi, 1
|
stdcall is_region_userspace, edi, 1
|
||||||
jnz @f
|
jz @f
|
||||||
ret
|
ret
|
||||||
@@:
|
@@:
|
||||||
;It is not optimization
|
;It is not optimization
|
||||||
@ -1767,7 +1767,7 @@ sys_getsetup:
|
|||||||
|
|
||||||
; if given memory address belongs to kernel then error
|
; if given memory address belongs to kernel then error
|
||||||
stdcall is_region_userspace, ebx, 128
|
stdcall is_region_userspace, ebx, 128
|
||||||
jz .addr_error
|
jnz .addr_error
|
||||||
|
|
||||||
mov eax, keymap
|
mov eax, keymap
|
||||||
mov ecx, 128
|
mov ecx, 128
|
||||||
@ -1780,7 +1780,7 @@ sys_getsetup:
|
|||||||
jnz .alt
|
jnz .alt
|
||||||
|
|
||||||
stdcall is_region_userspace, ebx, 128
|
stdcall is_region_userspace, ebx, 128
|
||||||
jz .addr_error
|
jnz .addr_error
|
||||||
|
|
||||||
mov eax, keymap_shift
|
mov eax, keymap_shift
|
||||||
mov ecx, 128
|
mov ecx, 128
|
||||||
@ -1793,7 +1793,7 @@ sys_getsetup:
|
|||||||
jne .country
|
jne .country
|
||||||
|
|
||||||
stdcall is_region_userspace, ebx, 128
|
stdcall is_region_userspace, ebx, 128
|
||||||
jz .addr_error
|
jnz .addr_error
|
||||||
|
|
||||||
mov eax, keymap_alt
|
mov eax, keymap_alt
|
||||||
mov ecx, 128
|
mov ecx, 128
|
||||||
@ -2459,7 +2459,7 @@ sysfn_getdiskinfo: ; 18.11 = get disk info table
|
|||||||
jnz .exit
|
jnz .exit
|
||||||
.small_table:
|
.small_table:
|
||||||
stdcall is_region_userspace, edx, DRIVE_DATA_SIZE
|
stdcall is_region_userspace, edx, DRIVE_DATA_SIZE
|
||||||
jz .exit
|
jnz .exit
|
||||||
mov edi, edx
|
mov edi, edx
|
||||||
mov esi, DRIVE_DATA
|
mov esi, DRIVE_DATA
|
||||||
mov ecx, DRIVE_DATA_SIZE ;10
|
mov ecx, DRIVE_DATA_SIZE ;10
|
||||||
@ -2475,7 +2475,7 @@ sysfn_lastkey: ; 18.12 = return 0 (backward compatibility)
|
|||||||
sysfn_getversion: ; 18.13 = get kernel ID and version
|
sysfn_getversion: ; 18.13 = get kernel ID and version
|
||||||
; if given memory address belongs to kernel then error
|
; if given memory address belongs to kernel then error
|
||||||
stdcall is_region_userspace, ecx, version_end-version_inf
|
stdcall is_region_userspace, ecx, version_end-version_inf
|
||||||
jz .addr_error
|
jnz .addr_error
|
||||||
|
|
||||||
mov edi, ecx
|
mov edi, ecx
|
||||||
mov esi, version_inf
|
mov esi, version_inf
|
||||||
@ -2838,7 +2838,7 @@ nosb4:
|
|||||||
|
|
||||||
; add check pointer
|
; add check pointer
|
||||||
stdcall is_region_userspace, ecx, esi
|
stdcall is_region_userspace, ecx, esi
|
||||||
jz .fin
|
jnz .fin
|
||||||
|
|
||||||
cmp [img_background], static_background_data
|
cmp [img_background], static_background_data
|
||||||
jnz @f
|
jnz @f
|
||||||
@ -3191,7 +3191,7 @@ sys_cpuusage:
|
|||||||
;
|
;
|
||||||
; if given memory address belongs to kernel then error
|
; if given memory address belongs to kernel then error
|
||||||
stdcall is_region_userspace, ebx, 0x4C
|
stdcall is_region_userspace, ebx, 0x4C
|
||||||
jz .addr_error
|
jnz .addr_error
|
||||||
|
|
||||||
cmp ecx, -1 ; who am I ?
|
cmp ecx, -1 ; who am I ?
|
||||||
jne .no_who_am_i
|
jne .no_who_am_i
|
||||||
@ -4401,7 +4401,7 @@ syscall_putimage: ; PutImage
|
|||||||
lea eax, [eax*3]
|
lea eax, [eax*3]
|
||||||
stdcall is_region_userspace, ebx, eax
|
stdcall is_region_userspace, ebx, eax
|
||||||
pop ecx
|
pop ecx
|
||||||
jz sys_putimage.exit
|
jnz sys_putimage.exit
|
||||||
|
|
||||||
sys_putimage:
|
sys_putimage:
|
||||||
test ecx, 0x80008000
|
test ecx, 0x80008000
|
||||||
@ -4451,7 +4451,7 @@ sys_putimage_palette:
|
|||||||
imul eax, ecx
|
imul eax, ecx
|
||||||
stdcall is_region_userspace, ebx, eax
|
stdcall is_region_userspace, ebx, eax
|
||||||
pop ecx
|
pop ecx
|
||||||
jz sys_putimage.exit
|
jnz sys_putimage.exit
|
||||||
|
|
||||||
mov eax, [current_slot_idx]
|
mov eax, [current_slot_idx]
|
||||||
shl eax, 8
|
shl eax, 8
|
||||||
@ -5206,7 +5206,7 @@ align 4
|
|||||||
syscall_writetext: ; WriteText
|
syscall_writetext: ; WriteText
|
||||||
|
|
||||||
stdcall is_region_userspace, edx, esi
|
stdcall is_region_userspace, edx, esi
|
||||||
jz .err
|
jnz .err
|
||||||
|
|
||||||
mov eax, [TASK_BASE]
|
mov eax, [TASK_BASE]
|
||||||
mov ebp, [eax-twdw+WDATA.box.left]
|
mov ebp, [eax-twdw+WDATA.box.left]
|
||||||
@ -5230,7 +5230,7 @@ align 4
|
|||||||
|
|
||||||
@@: ; check pointer
|
@@: ; check pointer
|
||||||
stdcall is_region_userspace, edi, 0
|
stdcall is_region_userspace, edi, 0
|
||||||
jz .err
|
jnz .err
|
||||||
jmp dtext
|
jmp dtext
|
||||||
.err:
|
.err:
|
||||||
ret
|
ret
|
||||||
@ -5403,7 +5403,7 @@ syscall_getarea:
|
|||||||
lea ebp, [ebp*3]
|
lea ebp, [ebp*3]
|
||||||
imul ebp, esi
|
imul ebp, esi
|
||||||
stdcall is_region_userspace, edi, ebp
|
stdcall is_region_userspace, edi, ebp
|
||||||
jz .exit
|
jnz .exit
|
||||||
|
|
||||||
mov ebp, edx
|
mov ebp, edx
|
||||||
dec ebp
|
dec ebp
|
||||||
@ -5474,7 +5474,7 @@ syscall_putarea_backgr:
|
|||||||
lea ebp, [ebp*4]
|
lea ebp, [ebp*4]
|
||||||
imul ebp, esi
|
imul ebp, esi
|
||||||
stdcall is_region_userspace, edi, ebp
|
stdcall is_region_userspace, edi, ebp
|
||||||
jz .exit
|
jnz .exit
|
||||||
|
|
||||||
mov ebp, edx
|
mov ebp, edx
|
||||||
|
|
||||||
@ -5754,23 +5754,20 @@ align 4
|
|||||||
; @return ZF = 1 if region in userspace memory,
|
; @return ZF = 1 if region in userspace memory,
|
||||||
; ZF = 0 otherwise
|
; ZF = 0 otherwise
|
||||||
proc is_region_userspace stdcall, base:dword, len:dword
|
proc is_region_userspace stdcall, base:dword, len:dword
|
||||||
push eax ebx
|
push eax
|
||||||
mov eax, [base]
|
mov eax, [base]
|
||||||
|
|
||||||
cmp eax, OS_BASE
|
cmp eax, OS_BASE-1
|
||||||
ja @f
|
ja @f ; zf
|
||||||
|
|
||||||
add eax, [len]
|
add eax, [len]
|
||||||
|
jc @f ; zf
|
||||||
cmp eax, OS_BASE
|
cmp eax, OS_BASE
|
||||||
ja @f
|
ja @f ; zf
|
||||||
|
|
||||||
mov eax, 1
|
cmp eax, eax ; ZF
|
||||||
jmp .ret
|
|
||||||
@@:
|
@@:
|
||||||
xor eax, eax
|
pop eax
|
||||||
.ret:
|
|
||||||
test eax, eax
|
|
||||||
pop ebx eax
|
|
||||||
ret
|
ret
|
||||||
endp
|
endp
|
||||||
|
|
||||||
|
@ -830,7 +830,7 @@ sys_network:
|
|||||||
.get_dev_name:
|
.get_dev_name:
|
||||||
mov ebx, eax
|
mov ebx, eax
|
||||||
stdcall is_region_userspace, ecx, 64
|
stdcall is_region_userspace, ecx, 64
|
||||||
jz .bad_buffer
|
jnz .bad_buffer
|
||||||
mov esi, [ebx + NET_DEVICE.name]
|
mov esi, [ebx + NET_DEVICE.name]
|
||||||
mov edi, ecx
|
mov edi, ecx
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user