diff options
| author | Ian Moffett <ian@osmora.org> | 2025-06-03 16:41:21 -0400 |
|---|---|---|
| committer | Ian Moffett <ian@osmora.org> | 2025-06-03 16:41:21 -0400 |
| commit | 42cde478e31ccfe1b6520dd6c54d4405e09bffc7 (patch) | |
| tree | 85fcac1fe92d5cee24d5cb067fb0acf794233421 | |
| parent | fd4f7c5d2ffa875368437c78a13eb8fc7595d49d (diff) | |
kernel: device: Harden cdev mmap() bounds checks
Signed-off-by: Ian Moffett <ian@osmora.org>
| -rw-r--r-- | sys/dev/video/fbdev.c | 5 | ||||
| -rw-r--r-- | sys/include/sys/device.h | 2 | ||||
| -rw-r--r-- | sys/vm/vm_map.c | 2 |
3 files changed, 4 insertions, 5 deletions
diff --git a/sys/dev/video/fbdev.c b/sys/dev/video/fbdev.c index 391400c..b4b465b 100644 --- a/sys/dev/video/fbdev.c +++ b/sys/dev/video/fbdev.c @@ -45,13 +45,12 @@ static volatile struct limine_framebuffer_request framebuffer_req = { }; static paddr_t -fbdev_mmap(dev_t dev, off_t off, int flags) +fbdev_mmap(dev_t dev, size_t size, off_t off, int flags) { size_t max_bounds; max_bounds = FRAMEBUFFER->pitch * FRAMEBUFFER->height; - max_bounds /= 4; - if (off > max_bounds) { + if ((off + size) > max_bounds) { return 0; } diff --git a/sys/include/sys/device.h b/sys/include/sys/device.h index cb2a702..04b66fc 100644 --- a/sys/include/sys/device.h +++ b/sys/include/sys/device.h @@ -48,7 +48,7 @@ typedef int(*dev_bsize_t)(dev_t); struct cdevsw { int(*read)(dev_t dev, struct sio_txn *sio, int flags); int(*write)(dev_t dev, struct sio_txn *sio, int flags); - paddr_t(*mmap)(dev_t dev, off_t off, int flags); + paddr_t(*mmap)(dev_t dev, size_t size, off_t off, int flags); /* Private */ struct vm_object vmobj; diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index 112f4b0..a3a6f39 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -216,7 +216,7 @@ mmap(void *addr, size_t len, int prot, int flags, int fildes, off_t off) } cdevp = map_obj->data; - if ((pa = cdevp->mmap(vp->dev, off, 0)) == 0) { + if ((pa = cdevp->mmap(vp->dev, len, off, 0)) == 0) { kprintf("mmap: dev mmap() gave 0\n"); return NULL; } |