From abe5739c10c2d4471f29bc2740694ccd6ddba7c0 Mon Sep 17 00:00:00 2001 From: AFWEF_147 Date: Mon, 23 Mar 2026 12:09:55 +0000 Subject: [PATCH] fix(lwp): reject wrapped user copy ranges --- components/lwp/lwp_user_mm.c | 51 ++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/components/lwp/lwp_user_mm.c b/components/lwp/lwp_user_mm.c index 99d11a26a95..8f129f72aaa 100644 --- a/components/lwp/lwp_user_mm.c +++ b/components/lwp/lwp_user_mm.c @@ -672,21 +672,46 @@ void *lwp_mremap(struct rt_lwp *lwp, void *old_address, size_t old_size, return rt_aspace_mremap_range(lwp->aspace, old_address, old_size, new_size, flags, new_address); } -size_t lwp_get_from_user(void *dst, void *src, size_t size) +static rt_bool_t _lwp_user_range_is_valid(const void *addr, size_t size) { - struct rt_lwp *lwp = RT_NULL; + uintptr_t start; + uintptr_t end; - /* check src */ + if (addr == RT_NULL) + { + return RT_FALSE; + } - if (src < (void *)USER_VADDR_START) + start = (uintptr_t)addr; + if (start < (uintptr_t)USER_VADDR_START) { - return 0; + return RT_FALSE; } - if (src >= (void *)USER_VADDR_TOP) + if (start >= (uintptr_t)USER_VADDR_TOP) { - return 0; + return RT_FALSE; + } + + end = start + size; + if (end < start) + { + return RT_FALSE; } - if ((void *)((char *)src + size) > (void *)USER_VADDR_TOP) + if (end > (uintptr_t)USER_VADDR_TOP) + { + return RT_FALSE; + } + + return RT_TRUE; +} + +size_t lwp_get_from_user(void *dst, void *src, size_t size) +{ + struct rt_lwp *lwp = RT_NULL; + + /* check src */ + + if (!_lwp_user_range_is_valid(src, size)) { return 0; } @@ -705,15 +730,7 @@ size_t lwp_put_to_user(void *dst, void *src, size_t size) struct rt_lwp *lwp = RT_NULL; /* check dst */ - if (dst < (void *)USER_VADDR_START) - { - return 0; - } - if (dst >= (void *)USER_VADDR_TOP) - { - return 0; - } - if ((void *)((char *)dst + size) > (void *)USER_VADDR_TOP) + if (!_lwp_user_range_is_valid(dst, size)) { return 0; }