ExternalVendorCode/genode
1
0
Fork 0
mirror of https://github.com/genodelabs/genode.git synced 2025-03-26 05:48:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

base: deny region creation exceeding size of a ds

Browse Source 
The rm_session implementation expects that offset + size must be
part of one dataspace. Unfortunately the parameters are not checked
properly during an rm::attach.

During an detach memory behind the actual region can be unmapped by such
bogus region entries.

Issues #591
This commit is contained in:
Alexander Boettcher 2013-07-29 12:26:52 +02:00 committed by Norman Feske
parent 09049278a6
commit 717be91e16
1 changed files with 5 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
base/src/core/rm_session_component.cc
View File

@ -359,18 +359,16 @@ Rm_session_component::attach(Dataspace_capability ds_cap, size_t size,
Object_pool<Dataspace_component>::Guard dsc(_ds_ep->lookup_and_lock(ds_cap));
if (!dsc) throw Invalid_dataspace();
if (!size) {
if (!size)
size = dsc->size() - offset;
if (dsc->size() <= (size_t)offset) {
PWRN("size is 0");
throw Invalid_dataspace();
}
}
/* work with page granularity */
size = align_addr(size, get_page_size_log2());
/* deny creation of regions larger then the actual dataspace */
if (dsc->size() < size + offset)
throw Invalid_args();
/* allocate region for attachment */
void *r = 0;
if (use_local_addr) {