Kernel: Avoid overrunning the user-specified buffers in select()

Author: https://github.com/gunnarbeutner Commit: https://github.com/SerenityOS/serenity/commit/d9ee2c6a891 Pull-request: https://github.com/SerenityOS/serenity/pull/6704 Reviewed-by: https://github.com/awesomekling
2025-01-24 02:03:06 -05:00 · 2021-04-28 08:36:37 +02:00 · 2021-04-28 08:36:37 +02:00 · d9ee2c6a89 · 2024-07-18 19:00:01 +09:00
commit d9ee2c6a89
parent d9f7b29273
1 changed files with 11 additions and 6 deletions
--- a/Kernel/Syscalls/select.cpp
+++ b/Kernel/Syscalls/select.cpp
@ -48,11 +48,16 @@ KResultOr<int> Process::sys$select(Userspace<const Syscall::SC_select_params*> u
    });

    fd_set fds_read, fds_write, fds_except;
-    if (params.readfds && !copy_from_user(&fds_read, params.readfds))
+
+    size_t bytes_used = ceil_div(params.nfds, 8);
+    if (bytes_used > sizeof(fds_read))
+        return EINVAL;
+
+    if (params.readfds && !copy_from_user(&fds_read, params.readfds, bytes_used))
        return EFAULT;
-    if (params.writefds && !copy_from_user(&fds_write, params.writefds))
+    if (params.writefds && !copy_from_user(&fds_write, params.writefds, bytes_used))
        return EFAULT;
-    if (params.exceptfds && !copy_from_user(&fds_except, params.exceptfds))
+    if (params.exceptfds && !copy_from_user(&fds_except, params.exceptfds, bytes_used))
        return EFAULT;

    Thread::SelectBlocker::FDVector fds_info;
@ -111,11 +116,11 @@ KResultOr<int> Process::sys$select(Userspace<const Syscall::SC_select_params*> u
        }
    }

-    if (params.readfds && !copy_to_user(params.readfds, &fds_read))
+    if (params.readfds && !copy_to_user(params.readfds, &fds_read, bytes_used))
        return EFAULT;
-    if (params.writefds && !copy_to_user(params.writefds, &fds_write))
+    if (params.writefds && !copy_to_user(params.writefds, &fds_write, bytes_used))
        return EFAULT;
-    if (params.exceptfds && !copy_to_user(params.exceptfds, &fds_except))
+    if (params.exceptfds && !copy_to_user(params.exceptfds, &fds_except, bytes_used))
        return EFAULT;
    return marked_fd_count;
 }