Avoid potential overflow in adding user-provided address and length
Created by: philmiller-charmworks
Both ptr and len are directly formed by user-supplied values. Malicious code making a system call could supply very large values, such that adding them together could produce an overflow.
In debug mode, the compiler-inserted checks would catch it, and presumably crash the kernel, producing a denial of service. In release mode, the wrapped value could pass the check, when it shouldn't, allowing the calling code to read or write data at an arbitrary address.
This change avoids ever adding them together, so that the threatened overflow can't happen. Here's the algebra showing that the final check is equivalent to the previous version in the non-overflowing case:
!(ptr + len <= mem.virtual_address + mem.virtual_size) ptr + len > mem.virtual_address + mem.virtual_size ptr + len > end len > end - ptr len > max_len
TODOs:
- My changes are completely untested - I made them online in Github, without any local compilation, etc. I believe in the logic as written, but not in the syntax
- The corresponding check of the Stack segment later in this file also needs to be changed