From 15fa59f6ffa55a0ec8f8f6b8fb3ba46c67fb3030 Mon Sep 17 00:00:00 2001
From: Ian Moffett <ian@osmora.org>
Date: Mon, 21 Jul 2025 01:22:48 -0400
Subject: kernel: subr: Check uaddr against mmap ledger

When validating memory addresses coming from userspace, we currently
only check if it is within range of the program stack or data. However,
data may also be allocated in the heap which involves addresses stored
in the memory map ledger. In order for user programs to be able to pass
references to that kind of memory to syscalls, we must be able to check the
addresses against ledger entries as well.

Signed-off-by: Ian Moffett <ian@osmora.org>
---
 sys/kern/kern_subr.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'sys/kern')

diff --git a/sys/kern/kern_subr.c b/sys/kern/kern_subr.c
index f437ec7..8a08f33 100644
--- a/sys/kern/kern_subr.c
+++ b/sys/kern/kern_subr.c
@@ -29,9 +29,12 @@
 
 #include <sys/proc.h>
 #include <sys/types.h>
+#include <sys/param.h>
 #include <sys/errno.h>
+#include <sys/mman.h>
 #include <sys/exec.h>
 #include <sys/systm.h>
+#include <vm/vm.h>
 #include <string.h>
 
 /*
@@ -45,6 +48,8 @@ static bool
 check_uaddr(const void *uaddr)
 {
     vaddr_t stack_start, stack_end;
+    struct mmap_lgdr *lp;
+    struct mmap_entry find, *res;
     struct exec_prog exec;
     struct proc *td;
     uintptr_t addr;
@@ -61,6 +66,22 @@ check_uaddr(const void *uaddr)
     if (addr >= stack_start && addr <= stack_end)
         return true;
 
+    /* Try to grab the mmap ledger */
+    if ((lp = td->mlgdr) == NULL) {
+        return false;
+    }
+
+    /*
+     * Now give an attempt at looking through the
+     * mmap ledger. Perhaps this memory was allocated
+     * in the user heap?
+     */
+    find.va_start = ALIGN_DOWN(addr, DEFAULT_PAGESIZE);
+    res = RBT_FIND(lgdr_entries, &lp->hd, &find);
+    if (res != NULL) {
+        return true;
+    }
+
     return false;
 }
 
-- 
cgit v1.2.3