Kernel: Fix integer overflow in KCOV_SETBUFSIZE ioctl

RonjaPonja · awesomekling · commit d5fdb97a8121 · 2021-07-26T23:52:15.000+02:00
diff --git a/Kernel/Devices/KCOVInstance.cpp b/Kernel/Devices/KCOVInstance.cpp
@@ -17,6 +17,9 @@ KCOVInstance::KCOVInstance(ProcessID pid)
 
 KResult KCOVInstance::buffer_allocate(size_t buffer_size_in_entries)
 {
+    if (buffer_size_in_entries < 2 || buffer_size_in_entries > KCOV_MAX_ENTRIES)
+        return EINVAL;
+
     // first entry contains index of last PC
     this->m_buffer_size_in_entries = buffer_size_in_entries - 1;
     this->m_buffer_size_in_bytes = page_round_up(buffer_size_in_entries * KCOV_ENTRY_SIZE);
diff --git a/Kernel/Devices/KCOVInstance.h b/Kernel/Devices/KCOVInstance.h
@@ -14,6 +14,7 @@ namespace Kernel {
 // Note: These need to be kept in sync with Userland/Libraries/LibC/sys/kcov.h
 typedef volatile u64 kcov_pc_t;
 #define KCOV_ENTRY_SIZE sizeof(kcov_pc_t)
+#define KCOV_MAX_ENTRIES (10 * 1024 * 1024)
 
 /*
  * One KCOVInstance is allocated per process, when the process opens /dev/kcov

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,9 @@ KCOVInstance::KCOVInstance(ProcessID pid)`
`17`	`17`
`18`	`18`	`KResult KCOVInstance::buffer_allocate(size_t buffer_size_in_entries)`
`19`	`19`	`{`
	`20`	`+ if (buffer_size_in_entries < 2 \|\| buffer_size_in_entries > KCOV_MAX_ENTRIES)`
	`21`	`+ return EINVAL;`
	`22`	`+`
`20`	`23`	`// first entry contains index of last PC`
`21`	`24`	`this->m_buffer_size_in_entries = buffer_size_in_entries - 1;`
`22`	`25`	`this->m_buffer_size_in_bytes = page_round_up(buffer_size_in_entries * KCOV_ENTRY_SIZE);`