Skip to content

security(kernel): fix buffer overflows in process.c#190

Open
ksaweryr wants to merge 1 commit into
mentos-team:mainfrom
ksaweryr:security/sys_execve-stack-buffer-overflow
Open

security(kernel): fix buffer overflows in process.c#190
ksaweryr wants to merge 1 commit into
mentos-team:mainfrom
ksaweryr:security/sys_execve-stack-buffer-overflow

Conversation

@ksaweryr

@ksaweryr ksaweryr commented Jul 5, 2026

Copy link
Copy Markdown

Description

kernel/src/process/process.c is riddled with unsafe calls to strcpy that can potentially lead to buffer overflows. This PR replaces all of them (even the ones that are definitely safe, for consistency) with strncpy which protects against that. As an example, the following piece of code triggers a stack buffer overflow in sys_execve which can be used for arbitrary code execution (the OS crashes with EIP 0xdeadbeef which proves that it's possible to gain control over code execution this way):

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char buf[512];

#define NAME_BUF_SIZE 255
#define PAD_SIZE 0x58

int main(void) {
    memset(buf, 'A', NAME_BUF_SIZE);
    memset(buf + NAME_BUF_SIZE, 'B', PAD_SIZE);

    char* argv[] = { buf, NULL };
    char* envp[] = { NULL };

    *(uint32_t*)(buf + NAME_BUF_SIZE + PAD_SIZE) = 0xdeadbeef; // eip
    // overwrite some pointers on the stack of `sys_execve` so that the kernel doesn't crash before returning from the function
    *(uint32_t*)(buf + NAME_BUF_SIZE + 0x28) = (uint32_t)argv; // char** origin_argv
    *(uint32_t*)(buf + NAME_BUF_SIZE + 0x2c) = (uint32_t)envp; // char* filename
    *(uint32_t*)(buf + NAME_BUF_SIZE + 0x30) = (uint32_t)envp; // task_struct* current
    *(uint32_t*)(buf + NAME_BUF_SIZE + 0x44) = (uint32_t)envp; // char** origin_envp

    execve("noent", argv, envp);

    return 0;
}

Related Issues

Changes Made

  • Replaced calls to strcpy with calls to strncpy with appropriate bounds in kernel/src/process/process.c
  • Changed TASK_NAME_MAX_LENGTH to NAME_MAX

Testing Performed

  • Built successfully on Debian 13
  • Tested manually with make qemu
  • Ran test suite with make qemu-test
  • All tests pass

Checklist

  • Code follows project style guidelines
  • Comments added for complex logic
  • Documentation updated (if applicable)
  • Tests added/updated (if applicable)
  • Builds without warnings
  • Tested on QEMU

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant