Brian Gianforcaro ed6d842f85 Kernel: Fix OOB read in sys$dbgputstr(..) during fuzzing ... The implementation uses try_copy_kstring_from_user to allocate a kernel string using, but does not use the length of the resulting string. The size parameter to the syscall is untrusted, as try copy kstring will attempt to perform a `safe_strlen(..)` on the user mode string and use that value for the allocated length of the KString instead. The bug is that we are printing the kstring, but with the usermode size argument. During fuzzing this resulted in us walking off the end of the allocated KString buffer printing garbage (or any kernel data!), until we stumbled in to the KSym region and hit a fatal page fault. This is technically a kernel information disclosure, but (un)fortunately the disclosure only happens to the Bochs debug port, and or the serial port if serial debugging is enabled. As far as I can tell it's not actually possible for an untrusted attacker to use this to do something nefarious, as they would need access to the host. If they have host access then they can already do much worse things :^).		2021-08-13 11:08:11 +02:00
..
access.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
alarm.cpp	Kernel: Do not cancel stale timers when servicing sys$alarm	2021-08-03 18:44:01 +02:00
anon_create.cpp	Kernel: Move Kernel/Memory/ code into Kernel::Memory namespace	2021-08-06 14:05:58 +02:00
beep.cpp	Kernel: Disable big process lock for sys$beep()	2021-08-06 23:36:12 +02:00
chdir.cpp	Kernel: Remove unused header includes	2021-08-01 08:10:16 +02:00
chmod.cpp	Kernel: Remove unused header includes	2021-08-01 08:10:16 +02:00
chown.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
chroot.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
clock.cpp	Kernel+LibC: Allow clock_gettime() to run without syscalls	2021-08-10 19:21:16 +02:00
debug.cpp	Kernel: Fix OOB read in sys$dbgputstr(..) during fuzzing	2021-08-13 11:08:11 +02:00
disown.cpp	Kernel/Process: Move protected values to the end of the object	2021-08-12 20:57:32 +02:00
dup2.cpp	Kernel: Track allocated FileDescriptionAndFlag elements in each Process	2021-07-28 19:07:00 +02:00
emuctl.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
execve.cpp	Kernel/Process: Move protected values to the end of the object	2021-08-12 20:57:32 +02:00
exit.cpp	Kernel/Process: Move protected values to the end of the object	2021-08-12 20:57:32 +02:00
fcntl.cpp	Kernel: Track allocated FileDescriptionAndFlag elements in each Process	2021-07-28 19:07:00 +02:00
fork.cpp	Kernel/Process: Move protected values to the end of the object	2021-08-12 20:57:32 +02:00
ftruncate.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
futex.cpp	Everywhere: Replace AK::Singleton => Singleton	2021-08-08 00:03:45 +02:00
get_dir_entries.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
get_stack_bounds.cpp	Kernel: Disable big process lock for sys$get_stack_bounds	2021-08-06 23:36:12 +02:00
getrandom.cpp	Kernel: Disable big process lock for sys$getrandom	2021-08-06 23:36:12 +02:00
getuid.cpp	Kernel/Process: Move protected values to the end of the object	2021-08-12 20:57:32 +02:00
hostname.cpp	Kernel: Migrate hostname locking to ProtectedValue	2021-08-07 11:48:00 +02:00
inode_watcher.cpp	Kernel: Remove char* versions of path argument / kstring copy methods	2021-08-13 11:08:11 +02:00
ioctl.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
keymap.cpp	Kernel: Disable big process lock for sys$getkeymap	2021-08-06 23:36:12 +02:00
kill.cpp	Kernel: Migrate process list locking to ProtectedValue	2021-08-07 11:48:00 +02:00
link.cpp	Kernel: Use try_copy_kstring_from_user() in sys$link()	2021-08-06 00:37:47 +02:00
lseek.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
mkdir.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
mknod.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
mmap.cpp	Kernel: Rename a very long enum to ShouldDeallocateVirtualRange	2021-08-06 21:45:05 +02:00
module.cpp	Kernel: Add convenience values to the Memory::Region::Access enum	2021-08-06 22:25:00 +02:00
mount.cpp	Kernel: Implement a ISO 9660 filesystem reader :^)	2021-08-07 15:21:58 +02:00
open.cpp	Kernel: Remove unused header includes	2021-08-01 08:10:16 +02:00
perf_event.cpp	Kernel: Don't record sys$perf_event() if profiling is not enabled	2021-08-12 00:03:40 +02:00
pipe.cpp	Kernel: Handle OOM from DoubleBuffer creation in FIFO creation	2021-08-03 18:54:23 +02:00
pledge.cpp	Kernel/Process: Move protected values to the end of the object	2021-08-12 20:57:32 +02:00
prctl.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
process.cpp	Kernel/Process: Move protected values to the end of the object	2021-08-12 20:57:32 +02:00
profiling.cpp	Kernel: Migrate process list locking to ProtectedValue	2021-08-07 11:48:00 +02:00
ptrace.cpp	Kernel: Rename Process::space() => Process::address_space()	2021-08-06 14:05:58 +02:00
purge.cpp	Kernel: Move Kernel/Memory/ code into Kernel::Memory namespace	2021-08-06 14:05:58 +02:00
read.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
readlink.cpp	Kernel: Remove unused header includes	2021-08-01 08:10:16 +02:00
realpath.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
rename.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
rmdir.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
sched.cpp	Kernel: Fix kernel panic when blocking on the process' big lock	2021-08-10 22:33:50 +02:00
select.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
sendfd.cpp	Kernel: Track allocated FileDescriptionAndFlag elements in each Process	2021-07-28 19:07:00 +02:00
setpgid.cpp	Kernel/Process: Move protected values to the end of the object	2021-08-12 20:57:32 +02:00
setuid.cpp	Kernel/Process: Move protected values to the end of the object	2021-08-12 20:57:32 +02:00
shutdown.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
sigaction.cpp	Kernel: Remove unused header includes	2021-08-01 08:10:16 +02:00
socket.cpp	Kernel: Remove unused header includes	2021-08-01 08:10:16 +02:00
stat.cpp	Kernel: Remove unused header includes	2021-08-01 08:10:16 +02:00
statvfs.cpp	Kernel: Remove unused header includes	2021-08-01 08:10:16 +02:00
sync.cpp	Kernel: Disable big process lock for sys$sync	2021-08-07 15:30:26 +02:00
sysconf.cpp	Kernel: Disable big process lock for sys$sysconf	2021-08-06 23:36:12 +02:00
thread.cpp	Kernel: Rename Process::space() => Process::address_space()	2021-08-06 14:05:58 +02:00
times.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
ttyname.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
umask.cpp	Kernel/Process: Move protected values to the end of the object	2021-08-12 20:57:32 +02:00
uname.cpp	Kernel: Migrate hostname locking to ProtectedValue	2021-08-07 11:48:00 +02:00
unlink.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
unveil.cpp	Kernel: Migrate sys$unveil to use the KString API	2021-07-23 19:02:25 +02:00
utime.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
waitid.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00
write.cpp	Kernel: Annotate all syscalls with VERIFY_PROCESS_BIG_LOCK_ACQUIRED	2021-07-20 03:21:14 +02:00