kernel/fs: Add missing IS_USER_ADDRESS check in user_vector_io.
The iovecs themselves were checked before they were copied, but the iov_base inside each was not, making it possible for evil (or just broken) user applications to put kernel addresses in here. Part of #14961.
This commit is contained in:
parent
e315daa9c1
commit
2b5ebfcfd5
|
@ -822,6 +822,13 @@ common_user_vector_io(int fd, off_t pos, const iovec* userVecs, size_t count,
|
||||||
|
|
||||||
ssize_t bytesTransferred = 0;
|
ssize_t bytesTransferred = 0;
|
||||||
for (uint32 i = 0; i < count; i++) {
|
for (uint32 i = 0; i < count; i++) {
|
||||||
|
if (!IS_USER_ADDRESS(vecs[i].iov_base)) {
|
||||||
|
status = B_BAD_ADDRESS;
|
||||||
|
if (bytesTransferred == 0)
|
||||||
|
return status;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
size_t length = vecs[i].iov_len;
|
size_t length = vecs[i].iov_len;
|
||||||
if (write) {
|
if (write) {
|
||||||
status = descriptor->ops->fd_write(descriptor, pos,
|
status = descriptor->ops->fd_write(descriptor, pos,
|
||||||
|
|
Loading…
Reference in New Issue