several small changes to prevent potential security and reliability issues due to slight implementation bugs. #298
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change adds individual bounds checks for namelen and prefixlen in order to prevent integer overflow (which could cause memory corruption).
This change adds a bounds check to make sure count is not larger than MAX_PARAMS when copying data from the caller. This prevents a buffer overflow from occurring.
Make sure the service isn't lying about the amount of bytes it wrote into vaddr. This prevents possible out of bound reads and writes by callers that rely on and trust the length value returned by the server.
This change clears the message structure before filling it in. This prevents uninitialized stack data from vfs to leak to the other endpoint.
This change adds a check to make sure name_len is not negative. This change was made to prevent memory corruption from occurring if name_len is negative.
iljavs
changed the title
fix a small code change where a grant would get leaked.
This change adds a bounds check to make sure userland can't overflow a kernel stack buffer. In addition the change also prevents an integer overflow from occurring.
was checking upper bounds, but not lower bounds. This change fixes that.
This change strengthens a bounds check to make sure no out of bound indexing occurs when using a port.
This change clears the tm structure on the stack before filling it in. This guarantees that the whole structure is initialized, and as such, no uninitialized stack data is copied to the caller.
This change adds validation for the devman_device_info that is provided by the caller. This is done by introducing a new function devman_validate_device_info.
need limits.h for INT_MAX
This change guarantees the vfs stat buffer is initialized. In the event that the fs we're calling in to is lying (says it wrote into buf, but really didn't) uninitialized vfs stack data would get send to the vfs caller.
This change clears the message structure before filling it in. This prevents uninitialized stack data from vfs leaking to a file system driver.
This change makes sure len is not 0. If len is 0 an int underflow would occur when looking for a terminating 0-byte and could lead to operating on uninitialized data.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These changes add bounds checks to prevent potential memory corruption issues and information leaks in several places.