From 717be91e16ab6698678cc5b910ad3996844eff9a Mon Sep 17 00:00:00 2001 From: Alexander Boettcher Date: Mon, 29 Jul 2013 12:26:52 +0200 Subject: [PATCH] base: deny region creation exceeding size of a ds The rm_session implementation expects that offset + size must be part of one dataspace. Unfortunately the parameters are not checked properly during an rm::attach. During an detach memory behind the actual region can be unmapped by such bogus region entries. Issues #591 --- base/src/core/rm_session_component.cc | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/base/src/core/rm_session_component.cc b/base/src/core/rm_session_component.cc index 35c9b9604a..6c0054b0fe 100644 --- a/base/src/core/rm_session_component.cc +++ b/base/src/core/rm_session_component.cc @@ -359,18 +359,16 @@ Rm_session_component::attach(Dataspace_capability ds_cap, size_t size, Object_pool::Guard dsc(_ds_ep->lookup_and_lock(ds_cap)); if (!dsc) throw Invalid_dataspace(); - if (!size) { + if (!size) size = dsc->size() - offset; - if (dsc->size() <= (size_t)offset) { - PWRN("size is 0"); - throw Invalid_dataspace(); - } - } - /* work with page granularity */ size = align_addr(size, get_page_size_log2()); + /* deny creation of regions larger then the actual dataspace */ + if (dsc->size() < size + offset) + throw Invalid_args(); + /* allocate region for attachment */ void *r = 0; if (use_local_addr) {