From abe5739c10c2d4471f29bc2740694ccd6ddba7c0 Mon Sep 17 00:00:00 2001 From: AFWEF_147 Date: Mon, 23 Mar 2026 12:09:55 +0000 Subject: [PATCH 1/2] fix(lwp): reject wrapped user copy ranges --- components/lwp/lwp_user_mm.c | 51 ++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/components/lwp/lwp_user_mm.c b/components/lwp/lwp_user_mm.c index 99d11a26a95..8f129f72aaa 100644 --- a/components/lwp/lwp_user_mm.c +++ b/components/lwp/lwp_user_mm.c @@ -672,21 +672,46 @@ void *lwp_mremap(struct rt_lwp *lwp, void *old_address, size_t old_size, return rt_aspace_mremap_range(lwp->aspace, old_address, old_size, new_size, flags, new_address); } -size_t lwp_get_from_user(void *dst, void *src, size_t size) +static rt_bool_t _lwp_user_range_is_valid(const void *addr, size_t size) { - struct rt_lwp *lwp = RT_NULL; + uintptr_t start; + uintptr_t end; - /* check src */ + if (addr == RT_NULL) + { + return RT_FALSE; + } - if (src < (void *)USER_VADDR_START) + start = (uintptr_t)addr; + if (start < (uintptr_t)USER_VADDR_START) { - return 0; + return RT_FALSE; } - if (src >= (void *)USER_VADDR_TOP) + if (start >= (uintptr_t)USER_VADDR_TOP) { - return 0; + return RT_FALSE; + } + + end = start + size; + if (end < start) + { + return RT_FALSE; } - if ((void *)((char *)src + size) > (void *)USER_VADDR_TOP) + if (end > (uintptr_t)USER_VADDR_TOP) + { + return RT_FALSE; + } + + return RT_TRUE; +} + +size_t lwp_get_from_user(void *dst, void *src, size_t size) +{ + struct rt_lwp *lwp = RT_NULL; + + /* check src */ + + if (!_lwp_user_range_is_valid(src, size)) { return 0; } @@ -705,15 +730,7 @@ size_t lwp_put_to_user(void *dst, void *src, size_t size) struct rt_lwp *lwp = RT_NULL; /* check dst */ - if (dst < (void *)USER_VADDR_START) - { - return 0; - } - if (dst >= (void *)USER_VADDR_TOP) - { - return 0; - } - if ((void *)((char *)dst + size) > (void *)USER_VADDR_TOP) + if (!_lwp_user_range_is_valid(dst, size)) { return 0; } From 019a778dc5b84fc1e4b32466a995077c203e32ec Mon Sep 17 00:00:00 2001 From: Telecaster2147 Date: Mon, 23 Mar 2026 13:49:12 +0000 Subject: [PATCH 2/2] style: format code with clang-format [skip ci] --- components/lwp/lwp_user_mm.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/components/lwp/lwp_user_mm.c b/components/lwp/lwp_user_mm.c index 8f129f72aaa..6fe739f7f56 100644 --- a/components/lwp/lwp_user_mm.c +++ b/components/lwp/lwp_user_mm.c @@ -107,14 +107,14 @@ static void _null_page_read(struct rt_varea *varea, struct rt_aspace_io_msg *msg memset(dest, 0, ARCH_PAGE_SIZE); msg->response.status = MM_FAULT_STATUS_OK; - return ; + return; } static void _null_page_write(struct rt_varea *varea, struct rt_aspace_io_msg *msg) { /* write operation is not allowed */ msg->response.status = MM_FAULT_STATUS_UNRECOVERABLE; - return ; + return; } static struct rt_mem_obj _null_object = { @@ -358,11 +358,11 @@ void *lwp_map_user_phy(struct rt_lwp *lwp, void *map_va, void *map_pa, map_size &= ~ARCH_PAGE_MASK; map_pa = (void *)((size_t)map_pa & ~ARCH_PAGE_MASK); - struct rt_mm_va_hint hint = {.flags = 0, - .limit_range_size = lwp->aspace->size, - .limit_start = lwp->aspace->start, - .prefer = map_va, - .map_size = map_size}; + struct rt_mm_va_hint hint = { .flags = 0, + .limit_range_size = lwp->aspace->size, + .limit_start = lwp->aspace->start, + .prefer = map_va, + .map_size = map_size }; if (map_va != RT_NULL) hint.flags |= MMF_MAP_FIXED; @@ -422,7 +422,7 @@ rt_inline rt_mem_obj_t _get_mmap_obj(struct rt_lwp *lwp) rt_inline rt_bool_t _memory_threshold_ok(void) { - #define GUARDIAN_BITS (10) +#define GUARDIAN_BITS (10) size_t total, free; rt_page_get_info(&total, &free); @@ -462,7 +462,7 @@ static void _prefetch_mmap(rt_aspace_t aspace, void *addr, long size) msg.off = (long)base >> MM_PAGE_SHIFT; rt_aspace_fault_try_fix(aspace, &msg); } - return ; + return; } void *lwp_user_memory_remap_to_kernel(rt_lwp_t lwp, void *uaddr, size_t length) @@ -572,7 +572,7 @@ void *lwp_mmap2(struct rt_lwp *lwp, void *addr, size_t length, int prot, if (va_affid != pgoff_affid) { LOG_W("Unaligned mapping address %p(pgoff=0x%lx) from fd=%d", - addr, pgoffset, fd); + addr, pgoffset, fd); } } else @@ -588,10 +588,10 @@ void *lwp_mmap2(struct rt_lwp *lwp, void *addr, size_t length, int prot, if (fd == -1) { - #ifdef RT_DEBUGGING_PAGE_THRESHOLD +#ifdef RT_DEBUGGING_PAGE_THRESHOLD if (!_memory_threshold_ok()) return (void *)-ENOMEM; - #endif /* RT_DEBUGGING_PAGE_THRESHOLD */ +#endif /* RT_DEBUGGING_PAGE_THRESHOLD */ k_offset = MM_PA_TO_OFF(addr); k_flags = MMF_CREATE(lwp_user_mm_flag_to_kernel(flags) | MMF_MAP_PRIVATE, @@ -665,7 +665,7 @@ int lwp_munmap(struct rt_lwp *lwp, void *addr, size_t length) } void *lwp_mremap(struct rt_lwp *lwp, void *old_address, size_t old_size, - size_t new_size, int flags, void *new_address) + size_t new_size, int flags, void *new_address) { RT_ASSERT(lwp); @@ -1067,7 +1067,7 @@ size_t lwp_user_strlen_ext(struct rt_lwp *lwp, const char *s) if (get_bytes == 0) { LOG_I("lwp_data_get(lwp=%p,dst=0x%lx,src=0x%lx,size=0x1000): user data unaccessible", - lwp, temp_buf, addr_start); + lwp, temp_buf, addr_start); len = -1; break; } @@ -1076,7 +1076,7 @@ size_t lwp_user_strlen_ext(struct rt_lwp *lwp, const char *s) else { LOG_I("lwp_data_get(lwp=%p,dst=0x%lx,src=0x%lx,size=0x1000): user data unaccessible", - lwp, temp_buf, addr_start); + lwp, temp_buf, addr_start); len = -1; break; }