From c39c8e69824af03799b0903f218eac81eba80751 Mon Sep 17 00:00:00 2001 From: Lioncash Date: Wed, 3 Apr 2019 20:23:14 -0400 Subject: kernel/svc: Properly sanitize mutex address in WaitProcessWideKeyAtomic We need to be checking whether or not the given address is within the kernel address space or if the given address isn't word-aligned and bail in these scenarios instead of trashing any kernel state. --- src/core/hle/kernel/svc.cpp | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src') diff --git a/src/core/hle/kernel/svc.cpp b/src/core/hle/kernel/svc.cpp index ab10db3df..2fd07ab34 100644 --- a/src/core/hle/kernel/svc.cpp +++ b/src/core/hle/kernel/svc.cpp @@ -1339,6 +1339,20 @@ static ResultCode WaitProcessWideKeyAtomic(VAddr mutex_addr, VAddr condition_var "called mutex_addr={:X}, condition_variable_addr={:X}, thread_handle=0x{:08X}, timeout={}", mutex_addr, condition_variable_addr, thread_handle, nano_seconds); + if (Memory::IsKernelVirtualAddress(mutex_addr)) { + LOG_ERROR( + Kernel_SVC, + "Given mutex address must not be within the kernel address space. address=0x{:016X}", + mutex_addr); + return ERR_INVALID_ADDRESS_STATE; + } + + if (!Common::IsWordAligned(mutex_addr)) { + LOG_ERROR(Kernel_SVC, "Given mutex address must be word-aligned. address=0x{:016X}", + mutex_addr); + return ERR_INVALID_ADDRESS; + } + auto* const current_process = Core::System::GetInstance().Kernel().CurrentProcess(); const auto& handle_table = current_process->GetHandleTable(); SharedPtr thread = handle_table.Get(thread_handle); -- cgit v1.2.3