[haiku-bugs] Re: [Haiku] #16610: app_server: crash when running application from another user

  • From: "Haiku" <trac@xxxxxxxxxxxx>
  • To: undisclosed-recipients: ;
  • Date: Thu, 19 Nov 2020 17:05:26 -0000

#16610: app_server: crash when running application from another user
---------------------------------+----------------------------
  Reporter:  X512                |      Owner:  axeld
      Type:  bug                 |     Status:  new
  Priority:  normal              |  Milestone:  Unscheduled
 Component:  Servers/app_server  |    Version:  R1/Development
Resolution:                      |   Keywords:
Blocked By:                      |   Blocking:
  Platform:  All                 |
---------------------------------+----------------------------
Comment (by X512):

I am not sure how much of that comment still applies, as the code now
 uses user_memcpy and appears to reject non-user pointers.

 Device node pointers are passed directly from userland without checks:
 `device_node* node = (device_node*)cookie;`. It can be used to access and
 modify kernel memory from userland. Some kind of ID like file descriptor
 should be used to identify `device_node` in userland. Or userland API
 should be changed so direct `device_node` will be not needed, for example
 use opened file descriptor with pointers to current device_node to
 communicate with userland.
-- 
Ticket URL: <https://dev.haiku-os.org/ticket/16610#comment:6>
Haiku <https://dev.haiku-os.org>
The Haiku operating system.

Other related posts: