From adb36de077c9bcd99072e86c7f84bac46a58e326 Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Fri, 28 Feb 2020 16:45:20 +0100 Subject: kernel: make sure we wont run into the tos when copying exec() arguments in case the calling process changes its arguments under us, it could happen that the final argument string lengths become bigger than initially calculated. this is fine as we still make sure we wont overflow the stack segment, but we could overrun into the tos structure at the end of the stack. so change the limit to the base of the tos, not the end of the stack segment. --- sys/src/9/port/sysproc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'sys/src/9/port/sysproc.c') diff --git a/sys/src/9/port/sysproc.c b/sys/src/9/port/sysproc.c index 075fdbd43..bfaae1d10 100644 --- a/sys/src/9/port/sysproc.c +++ b/sys/src/9/port/sysproc.c @@ -466,8 +466,10 @@ sysexec(va_list list) if(indir) e = strchr(a, 0); else { + if(charp >= (char*)tos) + error(Ebadarg); validaddr((uintptr)a, 1, 0); - e = vmemchr(a, 0, (char*)tstk - charp); + e = vmemchr(a, 0, (char*)tos - charp); if(e == nil) error(Ebadarg); } -- cgit v1.2.3