kernel/fs: Add missing IS_USER_ADDRESS check in user_vector_io.

The iovecs themselves were checked before they were copied, but the iov_base inside each was not, making it possible for evil (or just broken) user applications to put kernel addresses in here. Part of #14961.
2019-09-13 22:11:27 -04:00 · 2019-09-13 22:11:27 -04:00 · 2b5ebfcfd5
parent e315daa9c1
commit 2b5ebfcfd5
1 changed files with 7 additions and 0 deletions
--- a/src/system/kernel/fs/fd.cpp
+++ b/src/system/kernel/fs/fd.cpp
@ -822,6 +822,13 @@ common_user_vector_io(int fd, off_t pos, const iovec* userVecs, size_t count,

 	ssize_t bytesTransferred = 0;
 	for (uint32 i = 0; i < count; i++) {
+		if (!IS_USER_ADDRESS(vecs[i].iov_base)) {
+			status = B_BAD_ADDRESS;
+			if (bytesTransferred == 0)
+				return status;
+			break;
+		}
+
 		size_t length = vecs[i].iov_len;
 		if (write) {
 			status = descriptor->ops->fd_write(descriptor, pos,