memory_object_proxy: Fix checking proxy length

We want to prevent subproxies from requesting larger sizes than what a proxy initially allowed.
author: Samuel Thibault <samuel.thibault@ens-lyon.org> 2021-08-09 19:43:08 +0200
committer: Samuel Thibault <samuel.thibault@ens-lyon.org> 2021-08-09 19:44:13 +0200
commit: e40ad97e71fb3949a1ca57b488a6ab70a39d9b0f (patch)
tree: bf1f58339bcd5f3db753df7b559aae14bedb9a10
parent: b12549f5cb0495085a39908bfe9c9c4d1b068cca (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/vm/memory_object_proxy.c b/vm/memory_object_proxy.c
index 160a1b30..b6268d72 100644
--- a/vm/memory_object_proxy.c
+++ b/vm/memory_object_proxy.c
@@ -151,6 +151,9 @@ memory_object_create_proxy (const ipc_space_t space, vm_prot_t max_protection,
   if (offset[0] != 0)
     return KERN_INVALID_ARGUMENT;
 
+  if (start[0] + len[0] < start[0])
+    return KERN_INVALID_ARGUMENT;
+
   proxy = (memory_object_proxy_t) kmem_cache_alloc (&memory_object_proxy_cache);
 
   /* Allocate port, keeping a reference for it.  */
@@ -197,11 +200,15 @@ memory_object_proxy_lookup (ipc_port_t port, ipc_port_t *object,
 
   *max_protection = proxy->max_protection;
   *start = 0;
-  *len = proxy->len;
+  *len = (vm_offset_t) ~0;
 
   do
     {
       *object = proxy->object;
+      if (proxy->len <= *start)
+	*len = 0;
+      else
+	*len = MIN(*len, proxy->len - *start);
       *start += proxy->start;
     }
   while ((proxy = memory_object_proxy_port_lookup (proxy->object)));
author	Samuel Thibault <samuel.thibault@ens-lyon.org>	2021-08-09 19:43:08 +0200
committer	Samuel Thibault <samuel.thibault@ens-lyon.org>	2021-08-09 19:44:13 +0200
commit	e40ad97e71fb3949a1ca57b488a6ab70a39d9b0f (patch)
tree	bf1f58339bcd5f3db753df7b559aae14bedb9a10
parent	b12549f5cb0495085a39908bfe9c9c4d1b068cca (diff)