From e40ad97e71fb3949a1ca57b488a6ab70a39d9b0f Mon Sep 17 00:00:00 2001 From: Samuel Thibault Date: Mon, 9 Aug 2021 19:43:08 +0200 Subject: memory_object_proxy: Fix checking proxy length We want to prevent subproxies from requesting larger sizes than what a proxy initially allowed. --- vm/memory_object_proxy.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/vm/memory_object_proxy.c b/vm/memory_object_proxy.c index 160a1b30..b6268d72 100644 --- a/vm/memory_object_proxy.c +++ b/vm/memory_object_proxy.c @@ -151,6 +151,9 @@ memory_object_create_proxy (const ipc_space_t space, vm_prot_t max_protection, if (offset[0] != 0) return KERN_INVALID_ARGUMENT; + if (start[0] + len[0] < start[0]) + return KERN_INVALID_ARGUMENT; + proxy = (memory_object_proxy_t) kmem_cache_alloc (&memory_object_proxy_cache); /* Allocate port, keeping a reference for it. */ @@ -197,11 +200,15 @@ memory_object_proxy_lookup (ipc_port_t port, ipc_port_t *object, *max_protection = proxy->max_protection; *start = 0; - *len = proxy->len; + *len = (vm_offset_t) ~0; do { *object = proxy->object; + if (proxy->len <= *start) + *len = 0; + else + *len = MIN(*len, proxy->len - *start); *start += proxy->start; } while ((proxy = memory_object_proxy_port_lookup (proxy->object))); -- cgit v1.2.3