Skip to content

Commit ea408eb

Browse files
fdesbiensfdesbiens
authored
Merge commit from fork
Fixed pointer validation flaw and improper parameter check in syscall implementation
2 parents 372e71f + 3d6b65a commit ea408eb

File tree

2 files changed

+170
-17
lines changed

2 files changed

+170
-17
lines changed

common_modules/module_manager/inc/txm_module_manager_util.h

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@
2525
/* COMPONENT DEFINITION RELEASE */
2626
/* */
2727
/* txm_module_manager_util.h PORTABLE C */
28-
/* 6.3.0 */
28+
/* 6.4.3 */
2929
/* AUTHOR */
3030
/* */
3131
/* Scott Larson, Microsoft Corporation */
@@ -46,6 +46,10 @@
4646
/* 10-31-2023 Tiejun Zhou Modified comment(s) and */
4747
/* improved object check, */
4848
/* resulting in version 6.3.0 */
49+
/* xx-xx-2025 William E. Lamie Modified comment(s) and */
50+
/* improved object pointer use */
51+
/* and creation checking, */
52+
/* resulting in version 6.4.3 */
4953
/* */
5054
/**************************************************************************/
5155

@@ -102,16 +106,11 @@
102106

103107
/* Kernel objects should be outside the module at the very least. */
104108
#define TXM_MODULE_MANAGER_PARAM_CHECK_OBJECT_FOR_USE(module_instance, obj_ptr, obj_size) \
105-
(TXM_MODULE_MANAGER_ENSURE_OUTSIDE_MODULE(module_instance, obj_ptr, obj_size) || \
106-
(_txm_module_manager_created_object_check(module_instance, (void *)obj_ptr) == TX_FALSE) || \
107-
((void *) (obj_ptr) == TX_NULL))
109+
(_txm_module_manager_param_check_object_for_use(module_instance, obj_ptr, obj_size))
108110

109111
/* When creating an object, the object must be inside the object pool. */
110112
#define TXM_MODULE_MANAGER_PARAM_CHECK_OBJECT_FOR_CREATION(module_instance, obj_ptr, obj_size) \
111-
((TXM_MODULE_MANAGER_ENSURE_INSIDE_OBJ_POOL(module_instance, obj_ptr, obj_size) && \
112-
(_txm_module_manager_object_size_check(obj_ptr, obj_size) == TX_SUCCESS)) || \
113-
(_txm_module_manager_created_object_check(module_instance, (void *)obj_ptr) == TX_FALSE) || \
114-
((void *) (obj_ptr) == TX_NULL))
113+
(_txm_module_manager_param_check_object_for_creation(module_instance, obj_ptr, obj_size))
115114

116115
/* Strings we dereference can be in RW/RO/Shared areas. */
117116
#define TXM_MODULE_MANAGER_PARAM_CHECK_DEREFERENCE_STRING(module_instance, string_ptr) \
@@ -136,6 +135,8 @@ UINT _txm_module_manager_object_memory_check(TXM_MODULE_INSTANCE *module_inst
136135
UINT _txm_module_manager_object_size_check(ALIGN_TYPE object_ptr, ULONG object_size);
137136
UINT _txm_module_manager_object_name_compare(CHAR *object_name1, UINT object_name1_length, CHAR *object_name2);
138137
UCHAR _txm_module_manager_created_object_check(TXM_MODULE_INSTANCE *module_instance, void *object_ptr);
138+
UINT _txm_module_manager_param_check_object_for_creation(TXM_MODULE_INSTANCE *module_instance, ALIGN_TYPE object_ptr, ULONG object_size);
139+
UINT _txm_module_manager_param_check_object_for_use(TXM_MODULE_INSTANCE *module_instance, ALIGN_TYPE object_ptr, ULONG object_size);
139140
UINT _txm_module_manager_util_code_allocation_size_and_alignment_get(TXM_MODULE_PREAMBLE *module_preamble, ULONG *code_alignment_dest, ULONG *code_allocation_size_dest);
140141

141142
#endif

common_modules/module_manager/src/txm_module_manager_util.c

Lines changed: 161 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ UINT _txm_module_manager_object_memory_check(TXM_MODULE_INSTANCE *module_instan
104104
/* FUNCTION RELEASE */
105105
/* */
106106
/* _txm_module_manager_created_object_check PORTABLE C */
107-
/* 6.1 */
107+
/* 6.1x */
108108
/* AUTHOR */
109109
/* */
110110
/* Scott Larson, Microsoft Corporation */
@@ -137,22 +137,20 @@ UINT _txm_module_manager_object_memory_check(TXM_MODULE_INSTANCE *module_instan
137137
/* DATE NAME DESCRIPTION */
138138
/* */
139139
/* 09-30-2020 Scott Larson Initial Version 6.1 */
140+
/* xx-xx-2025 William E. Lamie Modified comment(s), and */
141+
/* removed module local memory */
142+
/* check, resulting in */
143+
/* version 6.1x */
140144
/* */
141145
/**************************************************************************/
142146
UCHAR _txm_module_manager_created_object_check(TXM_MODULE_INSTANCE *module_instance, VOID *object_ptr)
143147
{
144148

145149
TXM_MODULE_ALLOCATED_OBJECT *allocated_object_ptr;
146150

147-
/* Determine if the socket control block is inside the module. */
148-
if ( (((CHAR *) object_ptr) >= ((CHAR *) module_instance -> txm_module_instance_data_start)) &&
149-
(((CHAR *) object_ptr) < ((CHAR *) module_instance -> txm_module_instance_data_end)))
150-
{
151-
return TX_TRUE;
152-
}
153151

154-
/* Determine if this object control block was allocated by this module instance. */
155-
else if (_txm_module_manager_object_pool_created)
152+
/* Determine if the object pool has been created. */
153+
if (_txm_module_manager_object_pool_created)
156154
{
157155

158156
/* Determine if the current object is from the pool of dynamically allocated objects. */
@@ -336,6 +334,158 @@ CHAR object_name_char;
336334
}
337335

338336

337+
/**************************************************************************/
338+
/* */
339+
/* FUNCTION RELEASE */
340+
/* */
341+
/* _txm_module_manager_param_check_object_for_creation PORTABLE C */
342+
/* 6.4.3 */
343+
/* AUTHOR */
344+
/* */
345+
/* William E. Lamie, RTOSX */
346+
/* */
347+
/* DESCRIPTION */
348+
/* */
349+
/* This function checks to make sure the object pointer for one of the */
350+
/* creation APIs is valid. */
351+
/* */
352+
/* INPUT */
353+
/* */
354+
/* module_instance Requesting module instance pointer*/
355+
/* object_ptr Address of object memory area */
356+
/* ojbect_size Size of object memory area */
357+
/* */
358+
/* OUTPUT */
359+
/* */
360+
/* TX_TRUE Valid object pointer */
361+
/* TX_FALSE Invalid object pointer */
362+
/* */
363+
/* CALLS */
364+
/* */
365+
/* None */
366+
/* */
367+
/* CALLED BY */
368+
/* */
369+
/* txm_module_manager_* Module manager functions */
370+
/* */
371+
/* RELEASE HISTORY */
372+
/* */
373+
/* DATE NAME DESCRIPTION */
374+
/* */
375+
/* xx-xx-2025 William E. Lamie Initial Version 6.4.3 */
376+
/* */
377+
/**************************************************************************/
378+
UINT _txm_module_manager_param_check_object_for_creation(TXM_MODULE_INSTANCE *module_instance, ALIGN_TYPE object_ptr, ULONG object_size)
379+
{
380+
381+
/* Determine if the object pointer is NULL. */
382+
if ((void *) object_ptr == TX_NULL)
383+
{
384+
385+
/* Object pointer is NULL, which is invalid. */
386+
return(TX_FALSE);
387+
}
388+
389+
/* Determine if the object pointer is inside the module object pool. */
390+
if (TXM_MODULE_MANAGER_ENSURE_INSIDE_OBJ_POOL(module_instance, object_ptr, object_size) == TX_FALSE)
391+
{
392+
393+
/* Object pointer is not inside the object pool, which is invalid. */
394+
return(TX_FALSE);
395+
}
396+
397+
/* Determine if the object size is correct. */
398+
if (_txm_module_manager_object_size_check(object_ptr, object_size) != TX_SUCCESS)
399+
{
400+
401+
/* Object size is invalid. */
402+
return(TX_FALSE);
403+
}
404+
405+
/* Determine if the ojbect has already been created. */
406+
if (_txm_module_manager_created_object_check(module_instance, (void *) object_ptr) == TX_FALSE)
407+
{
408+
409+
/* Object has already been created, which is invalid. */
410+
return(TX_FALSE);
411+
}
412+
413+
/* Everything is okay with the object, return TX_TRUE. */
414+
return(TX_TRUE);
415+
}
416+
417+
418+
/**************************************************************************/
419+
/* */
420+
/* FUNCTION RELEASE */
421+
/* */
422+
/* _txm_module_manager_param_check_object_for_use PORTABLE C */
423+
/* 6.4.3 */
424+
/* AUTHOR */
425+
/* */
426+
/* William E. Lamie, RTOSX */
427+
/* */
428+
/* DESCRIPTION */
429+
/* */
430+
/* This function checks to make sure the object pointer is valid. */
431+
/* */
432+
/* INPUT */
433+
/* */
434+
/* module_instance Requesting module instance pointer*/
435+
/* object_ptr Address of object memory area */
436+
/* ojbect_size Size of object memory area */
437+
/* */
438+
/* OUTPUT */
439+
/* */
440+
/* TX_TRUE Valid object pointer */
441+
/* TX_FALSE Invalid object pointer */
442+
/* */
443+
/* CALLS */
444+
/* */
445+
/* None */
446+
/* */
447+
/* CALLED BY */
448+
/* */
449+
/* txm_module_manager_* Module manager functions */
450+
/* */
451+
/* RELEASE HISTORY */
452+
/* */
453+
/* DATE NAME DESCRIPTION */
454+
/* */
455+
/* xx-xx-2025 William E. Lamie Initial Version 6.4.3 */
456+
/* */
457+
/**************************************************************************/
458+
UINT _txm_module_manager_param_check_object_for_use(TXM_MODULE_INSTANCE *module_instance, ALIGN_TYPE object_ptr, ULONG object_size)
459+
{
460+
461+
/* Determine if the object pointer is NULL. */
462+
if ((void *) object_ptr == TX_NULL)
463+
{
464+
465+
/* Object pointer is NULL, which is invalid. */
466+
return(TX_FALSE);
467+
}
468+
469+
/* Determine if the object pointer is inside the module object pool. */
470+
if (TXM_MODULE_MANAGER_ENSURE_OUTSIDE_MODULE(module_instance, object_ptr, object_size) == TX_FALSE)
471+
{
472+
473+
/* Object pointer is not inside the object pool, which is invalid. */
474+
return(TX_FALSE);
475+
}
476+
477+
/* Define application-specific object memory check. */
478+
#ifdef TXM_MODULE_MANGER_APPLICATION_VALID_OBJECT_MEMORY_CHECK
479+
480+
/* Bring in the application-spefic objeft memory check, defined by the user. */
481+
TXM_MODULE_MANGER_APPLICATION_VALID_OBJECT_MEMORY_CHECK
482+
#endif /* TXM_MODULE_MANGER_APPLICATION_VALID_OBJECT_MEMORY_ENABLE */
483+
484+
/* Everything is okay with the object, return TX_TRUE. */
485+
return(TX_TRUE);
486+
}
487+
488+
339489
/**************************************************************************/
340490
/* */
341491
/* FUNCTION RELEASE */
@@ -414,3 +564,5 @@ ULONG data_alignment_ignored;
414564
/* Return success. */
415565
return(TX_SUCCESS);
416566
}
567+
568+

0 commit comments

Comments
 (0)