From 0579a2db34cea807ed092e29c5a895cb9f0853d2 Mon Sep 17 00:00:00 2001 From: asynts Date: Wed, 16 Sep 2020 16:55:29 +0200 Subject: [PATCH] Kernel: Fix kernel crash in get_dir_entries when buffer too small. Before e06362de9487806df92cf2360a42d3eed905b6bf this was a sneaky buffer overflow. BufferStream did not do range checking and continued to write past the allocated buffer (the size of which was controlled by the user.) The issue surfaced after my changes because OutputMemoryStream does range checking. Not sure how exploitable that bug was, directory entries are somewhat controllable by the user but the buffer was on the heap, so exploiting that should be tough. --- Kernel/FileSystem/FileDescription.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Kernel/FileSystem/FileDescription.cpp b/Kernel/FileSystem/FileDescription.cpp index a361e1d046a..31216fa78f5 100644 --- a/Kernel/FileSystem/FileDescription.cpp +++ b/Kernel/FileSystem/FileDescription.cpp @@ -191,7 +191,7 @@ ssize_t FileDescription::get_dir_entries(UserOrKernelBuffer& buffer, ssize_t siz if (result.is_error()) return result; - if (static_cast(size) < stream.size()) + if (stream.handle_recoverable_error()) return -EINVAL; if (!buffer.write(stream.bytes()))