Kernel: Panic on attempt to map mmap'ed page at a kernel address

If we somehow get tricked into mapping user-controlled mmap memory at a kernel address, let's just panic the kernel.
Author: https://github.com/awesomekling Commit: https://github.com/SerenityOS/serenity/commit/198d6418088
2024-11-27 01:50:24 +00:00 · 2021-02-14 09:03:54 +01:00 · 2021-02-14 09:03:54 +01:00 · 198d641808 · 2024-07-18 22:20:24 +09:00
commit 198d641808
parent b712345c92
1 changed files with 8 additions and 1 deletions
--- a/Kernel/VM/Region.cpp
+++ b/Kernel/VM/Region.cpp
@ -28,6 +28,7 @@
 #include <AK/StringView.h>
 #include <Kernel/Debug.h>
 #include <Kernel/FileSystem/Inode.h>
+#include <Kernel/Panic.h>
 #include <Kernel/Process.h>
 #include <Kernel/Thread.h>
 #include <Kernel/VM/AnonymousVMObject.h>
@ -258,6 +259,12 @@ bool Region::map_individual_page_impl(size_t page_index)
 {
    ASSERT(m_page_directory->get_lock().own_lock());
    auto page_vaddr = vaddr_from_page_index(page_index);
+
+    bool user_allowed = page_vaddr.get() >= 0x00800000 && is_user_address(page_vaddr);
+    if (is_mmap() && !user_allowed) {
+        PANIC("About to map mmap'ed page at a kernel address");
+    }
+
    auto* pte = MM.ensure_pte(*m_page_directory, page_vaddr);
    if (!pte)
        return false;
@ -274,7 +281,7 @@ bool Region::map_individual_page_impl(size_t page_index)
            pte->set_writable(is_writable());
        if (Processor::current().has_feature(CPUFeature::NX))
            pte->set_execute_disabled(!is_executable());
-        pte->set_user_allowed(page_vaddr.get() >= 0x00800000 && is_user_address(page_vaddr));
+        pte->set_user_allowed(user_allowed);
    }
    return true;
 }