-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
syscalls: Sanitize all pointers #606
base: master
Are you sure you want to change the base?
Conversation
Unit Test Results7 787 tests +46 7 054 ✅ +28 43m 24s ⏱️ + 3m 41s For more details on these failures, see this check. Results for commit a3d15c4. ± Comparison against base commit 84b66c2. ♻️ This comment has been updated with latest results. |
DONE: RTOS-939
0153d07
to
a3d15c4
Compare
if (vm_mapBelongs(proc, v, sizeof(v)) < 0) { | ||
return -1; | ||
} | ||
|
||
for (i = 0;; ++i) { | ||
if (vm_mapBelongs(proc, &v[i], sizeof(v)) < 0) { | ||
return -1; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wheni
= 0 &v[i] == v
@@ -1120,6 +1122,32 @@ int vm_mapBelongs(const struct _process_t *proc, const void *ptr, size_t size) | |||
} | |||
|
|||
|
|||
int vm_mapStringBelongs(const struct _process_t *proc, const char *str) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check has one more vulnerability than vm_mapBelongs
has. User can also alter the string post NUL byte check. We either have to copy the string or pass the string with length found by this function.
@@ -173,52 +175,119 @@ int syscalls_release(void *ustack) | |||
} | |||
|
|||
|
|||
static int syscalls_sanitizeVector(process_t *proc, char **v) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On top of vulnerabilities of vm_mapStringBelongs
and vm_mapStringBelongs
, this function is also vulnerable to user changing the elements of vector. Unfortunatelly, I think that there's no way around copying the vector, but a FIXME note should be sufficient for now.
Probably beyond the scope of this PR, but it would be nice to be resiliant to mov sp,0
int 0x80 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Several syscalls (e.g. sys_munmap
, mprotect
) still lack any checks - is this intentional?
@@ -1120,6 +1122,32 @@ int vm_mapBelongs(const struct _process_t *proc, const void *ptr, size_t size) | |||
} | |||
|
|||
|
|||
int vm_mapStringBelongs(const struct _process_t *proc, const char *str) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't there be a fast return for str == NULL
or at least handle that per-syscall? To avoid arithmetic on NULL
s and unnecessary locks.
DONE: RTOS-939
Description
Motivation and Context
Fixes phoenix-rtos/phoenix-rtos-project#976
Types of changes
How Has This Been Tested?
Checklist:
Special treatment