From 439ac04a65a685d280eedef438807e03e4f30c27 Mon Sep 17 00:00:00 2001 From: Ilja van Sprundel Date: Sat, 5 Oct 2019 21:56:07 +0200 Subject: [PATCH] add bounds check to prevent memory corruption and integer overflow This change adds a bounds check to make sure userland can't overflow a kernel stack buffer. In addition the change also prevents an integer overflow from occurring. --- minix/kernel/system/do_safecopy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/minix/kernel/system/do_safecopy.c b/minix/kernel/system/do_safecopy.c index 83ad0ad4e..eac8c0ebd 100644 --- a/minix/kernel/system/do_safecopy.c +++ b/minix/kernel/system/do_safecopy.c @@ -412,6 +412,9 @@ int do_vsafecopy(struct proc * caller, message * m_ptr) /* No. of vector elements. */ els = m_ptr->m_lsys_kern_vsafecopy.vec_size; + if (els > SCPVEC_NR) { + return EINVAL; + } bytes = els * sizeof(struct vscp_vec); /* Obtain vector of copies. */