From dcb49be48133cf811dcd870e8af5f7ffaffc2ab0 Mon Sep 17 00:00:00 2001
From: Jeremy Soller <jackpot51@gmail.com>
Date: Sun, 21 Jan 2018 19:21:43 -0700
Subject: [PATCH] Fix potential overflows in validate_slice and
 validate_slice_mut, require memory to be userspace

---
 src/syscall/validate.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/syscall/validate.rs b/src/syscall/validate.rs
index 9186b905..bd3a30d5 100644
--- a/src/syscall/validate.rs
+++ b/src/syscall/validate.rs
@@ -5,10 +5,13 @@ use paging::entry::EntryFlags;
 use syscall::error::*;
 
 fn validate(address: usize, size: usize, flags: EntryFlags) -> Result<()> {
+    let end_offset = size.checked_sub(1).ok_or(Error::new(EFAULT))?;
+    let end_address = address.checked_add(end_offset).ok_or(Error::new(EFAULT))?;
+
     let active_table = unsafe { ActivePageTable::new() };
 
     let start_page = Page::containing_address(VirtualAddress::new(address));
-    let end_page = Page::containing_address(VirtualAddress::new(address + size - 1));
+    let end_page = Page::containing_address(VirtualAddress::new(end_address));
     for page in Page::range_inclusive(start_page, end_page) {
         if let Some(page_flags) = active_table.translate_page_flags(page) {
             if ! page_flags.contains(flags) {
@@ -29,7 +32,7 @@ pub fn validate_slice<T>(ptr: *const T, len: usize) -> Result<&'static [T]> {
     if len == 0 {
         Ok(&[])
     } else {
-        validate(ptr as usize, len * mem::size_of::<T>(), EntryFlags::PRESENT /* TODO | EntryFlags::USER_ACCESSIBLE */)?;
+        validate(ptr as usize, len * mem::size_of::<T>(), EntryFlags::PRESENT | EntryFlags::USER_ACCESSIBLE)?;
         Ok(unsafe { slice::from_raw_parts(ptr, len) })
     }
 }
@@ -39,7 +42,7 @@ pub fn validate_slice_mut<T>(ptr: *mut T, len: usize) -> Result<&'static mut [T]
     if len == 0 {
         Ok(&mut [])
     } else {
-        validate(ptr as usize, len * mem::size_of::<T>(), EntryFlags::PRESENT | EntryFlags::WRITABLE /* TODO | EntryFlags::USER_ACCESSIBLE */)?;
+        validate(ptr as usize, len * mem::size_of::<T>(), EntryFlags::PRESENT | EntryFlags::WRITABLE | EntryFlags::USER_ACCESSIBLE)?;
         Ok(unsafe { slice::from_raw_parts_mut(ptr, len) })
     }
 }
-- 
GitLab