mirrors/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity.git synced 2025-01-23 18:02:05 -05:00
Code Issues Projects Releases Packages Wiki Activity

Kernel: Remove String use-after-free in generate_auxiliary_vector

Browse source 
Instead we generate the random bytes directly in
make_userspace_context_for_main_thread if requested.
This commit is contained in:
Idan Horowitz 2022-01-13 01:17:15 +02:00 committed by Brian Gianforcaro
parent 215e031bf5
commit 40159186c1
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
Kernel/Syscalls/execve.cpp
View file

@ -114,6 +114,12 @@ static ErrorOr<FlatPtr> make_userspace_context_for_main_thread([[maybe_unused]]
push_string_on_new_stack(value.optional_string);
value.auxv.a_un.a_ptr = (void*)new_sp;
}
if (value.auxv.a_type == ELF::AuxiliaryValue::Random) {
u8 random_bytes[16] {};
get_fast_random_bytes({ random_bytes, sizeof(random_bytes) });
push_string_on_new_stack({ random_bytes, sizeof(random_bytes) });
value.auxv.a_un.a_ptr = (void*)new_sp;
}
}
for (ssize_t i = auxiliary_values.size() - 1; i >= 0; --i) {
@ -655,10 +661,7 @@ static Vector<ELF::AuxiliaryValue> generate_auxiliary_vector(FlatPtr load_base,
// FIXME: Also take into account things like extended filesystem permissions? That's what linux does...
auxv.append({ ELF::AuxiliaryValue::Secure, ((uid != euid) || (gid != egid)) ? 1 : 0 });
char random_bytes[16] {};
get_fast_random_bytes({ (u8*)random_bytes, sizeof(random_bytes) });
auxv.append({ ELF::AuxiliaryValue::Random, String(random_bytes, sizeof(random_bytes)) });
auxv.append({ ELF::AuxiliaryValue::Random, nullptr });
auxv.append({ ELF::AuxiliaryValue::ExecFilename, executable_path });