From c1f74bf327d8b80970b5805bcff6dee24262604e Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Mon, 27 Jan 2020 12:43:21 +0100
Subject: [PATCH] Kernel: Never validate access to the kmalloc memory range

Memory validation is used to verify that user syscalls are allowed to
access a given memory range. Ring 0 threads never make syscalls, and
so will never end up in validation anyway.

The reason we were allowing kmalloc memory accesses is because kernel
thread stacks used to be allocated in kmalloc memory. Since that's no
longer the case, we can stop making exceptions for kmalloc in the
validation code.
---
 Kernel/Heap/kmalloc.cpp |  7 -------
 Kernel/Heap/kmalloc.h   |  2 --
 Kernel/Process.cpp      | 20 ++------------------
 3 files changed, 2 insertions(+), 27 deletions(-)

diff --git a/Kernel/Heap/kmalloc.cpp b/Kernel/Heap/kmalloc.cpp
index 5d0cdce0a3c9f4e50c65fc38e29eb33d72fdac60..77bb72fee600f078645d665dea3aab17443566a5 100644
--- a/Kernel/Heap/kmalloc.cpp
+++ b/Kernel/Heap/kmalloc.cpp
@@ -66,13 +66,6 @@ bool g_dump_kmalloc_stacks;
 static u8* s_next_eternal_ptr;
 static u8* s_end_of_eternal_range;
 
-bool is_kmalloc_address(const void* ptr)
-{
-    if (ptr >= (u8*)ETERNAL_BASE_PHYSICAL && ptr < s_next_eternal_ptr)
-        return true;
-    return (size_t)ptr >= BASE_PHYSICAL && (size_t)ptr <= (BASE_PHYSICAL + POOL_SIZE);
-}
-
 void kmalloc_init()
 {
     memset(&alloc_map, 0, sizeof(alloc_map));
diff --git a/Kernel/Heap/kmalloc.h b/Kernel/Heap/kmalloc.h
index 031d24263c9104a8dd73cd0e13bc5cdf59210f98..772e54112d9a3f3b0a2a943406518681a615d551 100644
--- a/Kernel/Heap/kmalloc.h
+++ b/Kernel/Heap/kmalloc.h
@@ -39,8 +39,6 @@ void* krealloc(void*, size_t);
 void kfree(void*);
 void kfree_aligned(void*);
 
-bool is_kmalloc_address(const void*);
-
 extern volatile size_t sum_alloc;
 extern volatile size_t sum_free;
 extern volatile size_t kmalloc_sum_eternal;
diff --git a/Kernel/Process.cpp b/Kernel/Process.cpp
index 0bcc5bc5fa1acc8a969b5465868764506024c146..5a52bc26cced8bddca3ea379d49a806c988d384f 100644
--- a/Kernel/Process.cpp
+++ b/Kernel/Process.cpp
@@ -2335,37 +2335,21 @@ bool Process::validate_read_from_kernel(VirtualAddress vaddr, ssize_t size) cons
 {
     if (vaddr.is_null())
         return false;
-    // We check extra carefully here since the first 4MB of the address space is identity-mapped.
-    // This code allows access outside of the known used address ranges to get caught.
-    if (is_kmalloc_address(vaddr.as_ptr()))
-        return true;
     return MM.validate_kernel_read(*this, vaddr, size);
 }
 
 bool Process::validate_read(const void* address, ssize_t size) const
 {
-    ASSERT(size >= 0);
-    VirtualAddress first_address((uintptr_t)address);
-    if (is_ring0()) {
-        if (is_kmalloc_address(address))
-            return true;
-    }
     if (!size)
         return false;
-    return MM.validate_user_read(*this, first_address, size);
+    return MM.validate_user_read(*this, VirtualAddress(address), size);
 }
 
 bool Process::validate_write(void* address, ssize_t size) const
 {
-    ASSERT(size >= 0);
-    VirtualAddress first_address((uintptr_t)address);
-    if (is_ring0()) {
-        if (is_kmalloc_address(address))
-            return true;
-    }
     if (!size)
         return false;
-    return MM.validate_user_write(*this, first_address, size);
+    return MM.validate_user_write(*this, VirtualAddress(address), size);
 }
 
 pid_t Process::sys$getsid(pid_t pid)