fix(lwp): reject wrapped user copy ranges

Telecaster2147 · Telecaster2147 · commit abe5739c10c2 · 2026-03-23T12:52:18.000Z
diff --git a/components/lwp/lwp_user_mm.c b/components/lwp/lwp_user_mm.c
@@ -672,21 +672,46 @@ void *lwp_mremap(struct rt_lwp *lwp, void *old_address, size_t old_size,
     return rt_aspace_mremap_range(lwp->aspace, old_address, old_size, new_size, flags, new_address);
 }
 
-size_t lwp_get_from_user(void *dst, void *src, size_t size)
+static rt_bool_t _lwp_user_range_is_valid(const void *addr, size_t size)
 {
-    struct rt_lwp *lwp = RT_NULL;
+    uintptr_t start;
+    uintptr_t end;
 
-    /* check src */
+    if (addr == RT_NULL)
+    {
+        return RT_FALSE;
+    }
 
-    if (src < (void *)USER_VADDR_START)
+    start = (uintptr_t)addr;
+    if (start < (uintptr_t)USER_VADDR_START)
     {
-        return 0;
+        return RT_FALSE;
     }
-    if (src >= (void *)USER_VADDR_TOP)
+    if (start >= (uintptr_t)USER_VADDR_TOP)
     {
-        return 0;
+        return RT_FALSE;
+    }
+
+    end = start + size;
+    if (end < start)
+    {
+        return RT_FALSE;
     }
-    if ((void *)((char *)src + size) > (void *)USER_VADDR_TOP)
+    if (end > (uintptr_t)USER_VADDR_TOP)
+    {
+        return RT_FALSE;
+    }
+
+    return RT_TRUE;
+}
+
+size_t lwp_get_from_user(void *dst, void *src, size_t size)
+{
+    struct rt_lwp *lwp = RT_NULL;
+
+    /* check src */
+
+    if (!_lwp_user_range_is_valid(src, size))
     {
         return 0;
     }
@@ -705,15 +730,7 @@ size_t lwp_put_to_user(void *dst, void *src, size_t size)
     struct rt_lwp *lwp = RT_NULL;
 
     /* check dst */
-    if (dst < (void *)USER_VADDR_START)
-    {
-        return 0;
-    }
-    if (dst >= (void *)USER_VADDR_TOP)
-    {
-        return 0;
-    }
-    if ((void *)((char *)dst + size) > (void *)USER_VADDR_TOP)
+    if (!_lwp_user_range_is_valid(dst, size))
     {
         return 0;
     }
