beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-22 23:50:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

Kernel: Fix kernel crash in get_dir_entries when buffer too small.

Browse source 
Before e06362de9487806df92cf2360a42d3eed905b6bf this was a sneaky buffer
overflow. BufferStream did not do range checking and continued to write
past the allocated buffer (the size of which was controlled by the
user.)

The issue surfaced after my changes because OutputMemoryStream does
range checking.

Not sure how exploitable that bug was, directory entries are somewhat
controllable by the user but the buffer was on the heap, so exploiting
that should be tough.
This commit is contained in:
asynts 2020-09-16 16:55:29 +02:00 committed by Andreas Kling
parent f69281573e
commit 0579a2db34
Notes: sideshowbarker 2024-07-19 02:23:07 +09:00 
Author: https://github.com/asynts
Commit: https://github.com/SerenityOS/serenity/commit/0579a2db34c
Pull-request: https://github.com/SerenityOS/serenity/pull/3507
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Kernel/FileSystem/FileDescription.cpp
View file

@ -191,7 +191,7 @@ ssize_t FileDescription::get_dir_entries(UserOrKernelBuffer& buffer, ssize_t siz
if (result.is_error())
return result;
if (static_cast<size_t>(size) < stream.size())
if (stream.handle_recoverable_error())
return -EINVAL;
if (!buffer.write(stream.bytes()))