kernel: Check for base+len overflow in is_region_userspace

git-svn-id: svn://kolibrios.org@9045 a494cfbc-eb01-0410-851d-a64ba20cac60
2021-07-09 09:22:44 +00:00 · 2021-07-09 09:22:44 +00:00 · b6f769987c
commit b6f769987c
parent 34a4c12412
7 changed files with 32 additions and 35 deletions
--- a/kernel/trunk/blkdev/disk.inc
+++ b/kernel/trunk/blkdev/disk.inc
@ -1310,7 +1310,7 @@ proc default_fs_get_file_info uses edi
        mov     ebx, [ebx+f70s5arg.buf]
        stdcall is_region_userspace, ebx, ecx
        movi    eax, ERROR_MEMORY_POINTER
-        jz      .done
+        jnz     .done
        mov     edi, ebx
        xor     eax, eax
        rep stosb
--- a/kernel/trunk/core/clipboard.inc
+++ b/kernel/trunk/core/clipboard.inc
@ -52,7 +52,7 @@ align 4
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
        stdcall is_region_userspace, edx, ecx
-        jnz     @f
+        jz      @f
        mov     eax, -1
        jmp     .exit_1
@@:
--- a/kernel/trunk/core/taskman.inc
+++ b/kernel/trunk/core/taskman.inc
@ -812,7 +812,7 @@ common_app_entry:
        test    edi, edi
        jz      @f
        stdcall is_region_userspace, edi, [ebp+APP_HDR.filename_size]
-        jz      @f
+        jnz     @f
        mov     al, '/'
        stosb
        rep movsb
@ -840,7 +840,7 @@ common_app_entry:
 .copy_cmdline:
        inc     ecx  ; keep in mind about 0 in the end
        stdcall is_region_userspace, edi, ecx
-        jz      .check_tls_header
+        jnz     .check_tls_header
        dec     ecx
        rep movsb
        mov     byte [edi], 0
--- a/kernel/trunk/fs/fs_lfn.inc
+++ b/kernel/trunk/fs/fs_lfn.inc
@ -92,7 +92,7 @@ image_of_ebx EQU esp+20
 ; syscall_fileSystemUnicode: ; with user pointer correctness checking
 ; ; in: ebx -> f.80 parameter structure
 ;         stdcall file_system_is_operation_safe, ebx
-;         jnz     @f
+;         jz      @f
 ;         DEBUGF  1, "sysfn80 addr error\n"
 ;         mov     dword [image_of_eax], ERROR_MEMORY_POINTER
@ -108,7 +108,7 @@ image_of_ebx EQU esp+20
 ; syscall_file_system_lfn: ; with user pointer correctness checking
 ; ; in: ebx -> f.70 parameter structure
 ;         stdcall file_system_is_operation_safe, ebx
-;         jnz     @f
+;         jz      @f
 ;         DEBUGF  1, "sysfn70 addr error\n"
 ;         mov     dword [image_of_eax], ERROR_MEMORY_POINTER
@ -550,7 +550,7 @@ sys_current_directory:  ; sysfunction 30
 .get:
 ; in: ecx -> buffer, edx = length, eax = encoding
        stdcall is_region_userspace, ecx, edx
-        jnz     @f
+        jz      @f
        ; if illegal buffer given
        xor     edx, edx
--- a/kernel/trunk/gui/window.inc
+++ b/kernel/trunk/gui/window.inc
@ -130,7 +130,7 @@ dd  .setSkinUnicode
        mov     edx, 192 ; max size
@@:
        stdcall is_region_userspace, esi, edx    ;
-        jnz     @f                               ;
+        jz      @f                               ;
        ret                                      ;
@@:
        mov     edi, common_colours
@ -147,7 +147,7 @@ dd  .setSkinUnicode
        mov     edx, 192 ; max size
@@:
        stdcall is_region_userspace, edi, edx
-        jnz     @f
+        jz      @f
        ret
@@:
        mov     esi, common_colours
--- a/kernel/trunk/kernel.asm
+++ b/kernel/trunk/kernel.asm
@ -1419,13 +1419,13 @@ display_number:
        test    bl, bl
        jz      @f
        stdcall is_region_userspace, ecx, 1
-        jnz     @f
+        jz      @f
        ret
@@:
        test    esi, 0x08000000
        jz      @f
        stdcall is_region_userspace, edi, 1
-        jnz     @f
+        jz      @f
        ret
@@:
 ;It is not optimization
@ -1767,7 +1767,7 @@ sys_getsetup:
        ; if given memory address belongs to kernel then error
        stdcall is_region_userspace, ebx, 128
-        jz      .addr_error
+        jnz     .addr_error
        mov     eax, keymap
        mov     ecx, 128
@ -1780,7 +1780,7 @@ sys_getsetup:
        jnz     .alt
        stdcall is_region_userspace, ebx, 128
-        jz      .addr_error
+        jnz     .addr_error
        mov     eax, keymap_shift
        mov     ecx, 128
@ -1793,7 +1793,7 @@ sys_getsetup:
        jne     .country
        stdcall is_region_userspace, ebx, 128
-        jz      .addr_error
+        jnz     .addr_error
        mov     eax, keymap_alt
        mov     ecx, 128
@ -2459,7 +2459,7 @@ sysfn_getdiskinfo:      ; 18.11 = get disk info table
        jnz     .exit
 .small_table:
        stdcall is_region_userspace, edx, DRIVE_DATA_SIZE
-        jz      .exit
+        jnz     .exit
        mov     edi, edx
        mov     esi, DRIVE_DATA
        mov     ecx, DRIVE_DATA_SIZE ;10
@ -2475,7 +2475,7 @@ sysfn_lastkey:          ; 18.12 = return 0 (backward compatibility)
 sysfn_getversion:       ; 18.13 = get kernel ID and version
        ; if given memory address belongs to kernel then error
        stdcall is_region_userspace, ecx, version_end-version_inf
-        jz      .addr_error
+        jnz     .addr_error
        mov     edi, ecx
        mov     esi, version_inf
@ -2838,7 +2838,7 @@ nosb4:
 ; add check pointer
        stdcall is_region_userspace, ecx, esi
-        jz      .fin
+        jnz     .fin
        cmp     [img_background], static_background_data
        jnz     @f
@ -3191,7 +3191,7 @@ sys_cpuusage:
 ;
        ; if given memory address belongs to kernel then error
        stdcall is_region_userspace, ebx, 0x4C
-        jz      .addr_error
+        jnz     .addr_error
        cmp     ecx, -1 ; who am I ?
        jne     .no_who_am_i
@ -4401,7 +4401,7 @@ syscall_putimage:                       ; PutImage
        lea     eax, [eax*3]
        stdcall is_region_userspace, ebx, eax
        pop     ecx
-        jz      sys_putimage.exit
+        jnz     sys_putimage.exit
 sys_putimage:
        test    ecx, 0x80008000
@ -4451,7 +4451,7 @@ sys_putimage_palette:
        imul    eax, ecx
        stdcall is_region_userspace, ebx, eax
        pop     ecx
-        jz      sys_putimage.exit
+        jnz     sys_putimage.exit
        mov     eax, [current_slot_idx]
        shl     eax, 8
@ -5206,7 +5206,7 @@ align 4
 syscall_writetext:                      ; WriteText
        stdcall is_region_userspace, edx, esi
-        jz      .err
+        jnz     .err
        mov     eax, [TASK_BASE]
        mov     ebp, [eax-twdw+WDATA.box.left]
@ -5230,7 +5230,7 @@ align 4
@@:     ;  check pointer
        stdcall is_region_userspace, edi, 0
-        jz      .err
+        jnz     .err
        jmp     dtext
 .err:
        ret
@ -5403,7 +5403,7 @@ syscall_getarea:
        lea     ebp, [ebp*3]
        imul    ebp, esi
        stdcall is_region_userspace, edi, ebp
-        jz      .exit
+        jnz     .exit
        mov     ebp, edx
        dec     ebp
@ -5474,7 +5474,7 @@ syscall_putarea_backgr:
        lea     ebp, [ebp*4]
        imul    ebp, esi
        stdcall is_region_userspace, edi, ebp
-        jz      .exit
+        jnz     .exit
        mov     ebp, edx
@ -5754,23 +5754,20 @@ align 4
 ; @return ZF = 1 if region in userspace memory,
 ;         ZF = 0 otherwise
 proc is_region_userspace stdcall, base:dword, len:dword
-        push    eax ebx
+        push    eax
        mov     eax, [base]
-        cmp     eax, OS_BASE
+        cmp     eax, OS_BASE-1
-        ja      @f
+        ja      @f              ; zf
        add     eax, [len]
        jc      @f              ; zf
        cmp     eax, OS_BASE
-        ja      @f
+        ja      @f              ; zf
-        mov     eax, 1
+        cmp     eax, eax        ; ZF
        jmp     .ret
@@:
-        xor     eax, eax
+        pop     eax
 .ret:
        test    eax, eax
        pop     ebx eax
        ret 
 endp
--- a/kernel/trunk/network/stack.inc
+++ b/kernel/trunk/network/stack.inc
@ -830,7 +830,7 @@ sys_network:
  .get_dev_name:
        mov     ebx, eax
        stdcall is_region_userspace, ecx, 64
-        jz      .bad_buffer      
+        jnz     .bad_buffer
        mov     esi, [ebx + NET_DEVICE.name]
        mov     edi, ecx