Commit 1d167572 authored by Flavio Ceolin's avatar Flavio Ceolin Committed by Chris Friedt
Browse files

userspace: Additional checks in K_SYSCALL_MEMORY 



This macros needed additional checks before invoking
arch_buffer_validate.

- size can not be less then 0. Some functions invoke this macro
  using signed type which will be promote to unsigned when invoking
  arch_buffer_validate. We need to do an early check.
- We need to check for possible overflow, since a malicious user
  application could use a negative number that would be promoted
  to a big value that would cause a integer overflow when adding it
  to the buffer address, leading to invalid checks.

Signed-off-by: default avatarFlavio Ceolin <flavio.ceolin@intel.com>
parent eeefd07f

include/syscall_handler.h

+3 −2
Original line number Diff line number Diff line
@@ -346,8 +346,9 @@ extern int z_user_string_copy(char *dst, const char *src, size_t maxlen); 
 * @return 0 on success, nonzero on failure

 */

#define Z_SYSCALL_MEMORY(ptr, size, write) \

	Z_SYSCALL_VERIFY_MSG(arch_buffer_validate((void *)ptr, size, write) \

			     == 0, \

	Z_SYSCALL_VERIFY_MSG((size >= 0) && !Z_DETECT_POINTER_OVERFLOW(ptr, size) \

			     && (arch_buffer_validate((void *)ptr, size, write) \

			     == 0), \

			     "Memory region %p (size %zu) %s access denied", \

			     (void *)(ptr), (size_t)(size), \

			     write ? "write" : "read")

CRA Git | Maintained and supported by SUSTech CRA and CCSE