From d11dd0c3f93b57059440e4a3f07f7fe28b7f8b07 Mon Sep 17 00:00:00 2001 From: "Justin C. Miller" Date: Wed, 6 Jan 2021 23:16:16 -0800 Subject: [PATCH] [kernel] Fix memory clobbering from endpoint The endpoint receive syscalls can block and then write to userspace memory. Since the current address space may be different after blocking, make sure to only actually write to the user memory after returning to the syscall handler - pass values that are on the syscall handler stack deeper into the kernel. --- src/include/j6/types.h | 1 + src/kernel/syscalls/endpoint.cpp | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/include/j6/types.h b/src/include/j6/types.h index 15d762c..587775e 100644 --- a/src/include/j6/types.h +++ b/src/include/j6/types.h @@ -18,6 +18,7 @@ typedef uint64_t j6_signal_t; typedef uint64_t j6_tag_t; #define j6_tag_system_flag 0x8000000000000000 +#define j6_tag_invalid 0x0000000000000000 /// If all high bits except the last 16 are set, then the tag represents /// an IRQ. diff --git a/src/kernel/syscalls/endpoint.cpp b/src/kernel/syscalls/endpoint.cpp index 733bbb5..e4c9649 100644 --- a/src/kernel/syscalls/endpoint.cpp +++ b/src/kernel/syscalls/endpoint.cpp @@ -35,7 +35,12 @@ endpoint_receive(j6_handle_t handle, j6_tag_t *tag, size_t *len, void *data) endpoint *e = get_handle(handle); if (!e) return j6_err_invalid_arg; - return e->receive(tag, len, data); + j6_tag_t out_tag = j6_tag_invalid; + size_t out_len = 0; + j6_status_t s = e->receive(&out_tag, &out_len, data); + *tag = out_tag; + *len = out_len; + return s; } j6_status_t @@ -51,7 +56,12 @@ endpoint_sendrecv(j6_handle_t handle, j6_tag_t *tag, size_t *len, void *data) if (status != j6_status_ok) return status; - return e->receive(tag, len, data); + j6_tag_t out_tag = j6_tag_invalid; + size_t out_len = 0; + j6_status_t s = e->receive(&out_tag, &out_len, data); + *tag = out_tag; + *len = out_len; + return s; } } // namespace syscalls