svc: Add missing address range sanitizing checks to MapMemory/UnmapMemory

This adds the missing address range checking that the service functions do before attempting to map or unmap memory. Given that both service functions perform the same set of checks in the same order, we can wrap these into a function and just call it from both functions, which deduplicates a little bit of code.
author: Lioncash 2018-10-10 14:18:27 -0400
committer: Lioncash 2018-10-10 20:30:49 -0400
commit: 72e9cb523e1adfe744aab1d9a05f3c804fe86ccb (patch)
tree: 50b2141eebfa4e50fa8fb71fb03eeb32db6791c1 /src
parent: Merge pull request #1460 from FernandoS27/scissor_test (diff)
download: yuzu-72e9cb523e1adfe744aab1d9a05f3c804fe86ccb.tar.gz
yuzu-72e9cb523e1adfe744aab1d9a05f3c804fe86ccb.tar.xz
yuzu-72e9cb523e1adfe744aab1d9a05f3c804fe86ccb.zip
2 files changed, 81 insertions, 12 deletions
diff --git a/src/core/hle/kernel/errors.h b/src/core/hle/kernel/errors.h
index e5fa67ae8..885259618 100644
--- a/src/core/hle/kernel/errors.h
+++ b/src/core/hle/kernel/errors.h
@@ -22,6 +22,7 @@ enum {
    HandleTableFull = 105,
    InvalidMemoryState = 106,
    InvalidMemoryPermissions = 108,
+    InvalidMemoryRange = 110,
    InvalidThreadPriority = 112,
    InvalidProcessorId = 113,
    InvalidHandle = 114,
@@ -56,6 +57,7 @@ constexpr ResultCode ERR_INVALID_ADDRESS(ErrorModule::Kernel, ErrCodes::InvalidA
 constexpr ResultCode ERR_INVALID_ADDRESS_STATE(ErrorModule::Kernel, ErrCodes::InvalidMemoryState);
 constexpr ResultCode ERR_INVALID_MEMORY_PERMISSIONS(ErrorModule::Kernel,
                                                    ErrCodes::InvalidMemoryPermissions);
+constexpr ResultCode ERR_INVALID_MEMORY_RANGE(ErrorModule::Kernel, ErrCodes::InvalidMemoryRange);
 constexpr ResultCode ERR_INVALID_HANDLE(ErrorModule::Kernel, ErrCodes::InvalidHandle);
 constexpr ResultCode ERR_INVALID_PROCESSOR_ID(ErrorModule::Kernel, ErrCodes::InvalidProcessorId);
 constexpr ResultCode ERR_INVALID_SIZE(ErrorModule::Kernel, ErrCodes::InvalidSize);
diff --git a/src/core/hle/kernel/svc.cpp b/src/core/hle/kernel/svc.cpp
index 3afcce3fe..3e4dd61dc 100644
--- a/src/core/hle/kernel/svc.cpp
+++ b/src/core/hle/kernel/svc.cpp
@@ -39,6 +39,73 @@ namespace {
 constexpr bool Is4KBAligned(VAddr address) {
    return (address & 0xFFF) == 0;
 }
+// Checks if address + size is greater than the given address
+// This can return false if the size causes an overflow of a 64-bit type
+// or if the given size is zero.
+constexpr bool IsValidAddressRange(VAddr address, u64 size) {
+    return address + size > address;
+}
+// Checks if a given address range lies within a larger address range.
+constexpr bool IsInsideAddressRange(VAddr address, u64 size, VAddr address_range_begin,
+                                    VAddr address_range_end) {
+    const VAddr end_address = address + size - 1;
+    return address_range_begin <= address && end_address <= address_range_end - 1;
+}
+bool IsInsideAddressSpace(const VMManager& vm, VAddr address, u64 size) {
+    return IsInsideAddressRange(address, size, vm.GetAddressSpaceBaseAddress(),
+                                vm.GetAddressSpaceEndAddress());
+}
+bool IsInsideNewMapRegion(const VMManager& vm, VAddr address, u64 size) {
+    return IsInsideAddressRange(address, size, vm.GetNewMapRegionBaseAddress(),
+                                vm.GetNewMapRegionEndAddress());
+}
+// Helper function that performs the common sanity checks for svcMapMemory
+// and svcUnmapMemory. This is doable, as both functions perform their sanitizing
+// in the same order.
+ResultCode MapUnmapMemorySanityChecks(const VMManager& vm_manager, VAddr dst_addr, VAddr src_addr,
+                                      u64 size) {
+    if (!Is4KBAligned(dst_addr) || !Is4KBAligned(src_addr)) {
+        return ERR_INVALID_ADDRESS;
+    }
+    if (size == 0 || !Is4KBAligned(size)) {
+        return ERR_INVALID_SIZE;
+    }
+    if (!IsValidAddressRange(dst_addr, size)) {
+        return ERR_INVALID_ADDRESS_STATE;
+    }
+    if (!IsValidAddressRange(src_addr, size)) {
+        return ERR_INVALID_ADDRESS_STATE;
+    }
+    if (!IsInsideAddressSpace(vm_manager, src_addr, size)) {
+        return ERR_INVALID_ADDRESS_STATE;
+    }
+    if (!IsInsideNewMapRegion(vm_manager, dst_addr, size)) {
+        return ERR_INVALID_MEMORY_RANGE;
+    }
+    const VAddr dst_end_address = dst_addr + size;
+    if (dst_end_address > vm_manager.GetHeapRegionBaseAddress() &&
+        dst_addr < vm_manager.GetHeapRegionEndAddress()) {
+        return ERR_INVALID_MEMORY_RANGE;
+    }
+    if (dst_end_address > vm_manager.GetNewMapRegionBaseAddress() &&
+        dst_addr < vm_manager.GetMapRegionEndAddress()) {
+        return ERR_INVALID_MEMORY_RANGE;
+    }
+    return RESULT_SUCCESS;
+}
 } // Anonymous namespace
 /// Set the process heap to a given Size. It can both extend and shrink the heap.
@@ -69,15 +136,15 @@ static ResultCode MapMemory(VAddr dst_addr, VAddr src_addr, u64 size) {
    LOG_TRACE(Kernel_SVC, "called, dst_addr=0x{:X}, src_addr=0x{:X}, size=0x{:X}", dst_addr,
              src_addr, size);
-    if (!Is4KBAligned(dst_addr) || !Is4KBAligned(src_addr)) {
+    auto* const current_process = Core::CurrentProcess();
-        return ERR_INVALID_ADDRESS;
+    const auto& vm_manager = current_process->VMManager();
-    }
-    if (size == 0 || !Is4KBAligned(size)) {
+    const auto result = MapUnmapMemorySanityChecks(vm_manager, dst_addr, src_addr, size);
-        return ERR_INVALID_SIZE;
+    if (result != RESULT_SUCCESS) {
+        return result;
    }
-    return Core::CurrentProcess()->MirrorMemory(dst_addr, src_addr, size);
+    return current_process->MirrorMemory(dst_addr, src_addr, size);
 }
 /// Unmaps a region that was previously mapped with svcMapMemory
@@ -85,15 +152,15 @@ static ResultCode UnmapMemory(VAddr dst_addr, VAddr src_addr, u64 size) {
    LOG_TRACE(Kernel_SVC, "called, dst_addr=0x{:X}, src_addr=0x{:X}, size=0x{:X}", dst_addr,
              src_addr, size);
-    if (!Is4KBAligned(dst_addr) || !Is4KBAligned(src_addr)) {
+    auto* const current_process = Core::CurrentProcess();
-        return ERR_INVALID_ADDRESS;
+    const auto& vm_manager = current_process->VMManager();
-    }
-    if (size == 0 || !Is4KBAligned(size)) {
+    const auto result = MapUnmapMemorySanityChecks(vm_manager, dst_addr, src_addr, size);
-        return ERR_INVALID_SIZE;
+    if (result != RESULT_SUCCESS) {
+        return result;
    }
-    return Core::CurrentProcess()->UnmapMemory(dst_addr, src_addr, size);
+    return current_process->UnmapMemory(dst_addr, src_addr, size);
 }
 /// Connect to an OS service given the port name, returns the handle to the port to out
author	Lioncash	2018-10-10 14:18:27 -0400
committer	Lioncash	2018-10-10 20:30:49 -0400
commit	72e9cb523e1adfe744aab1d9a05f3c804fe86ccb (patch)
tree	50b2141eebfa4e50fa8fb71fb03eeb32db6791c1 /src
parent	Merge pull request #1460 from FernandoS27/scissor_test (diff)
download	yuzu-72e9cb523e1adfe744aab1d9a05f3c804fe86ccb.tar.gz yuzu-72e9cb523e1adfe744aab1d9a05f3c804fe86ccb.tar.xz yuzu-72e9cb523e1adfe744aab1d9a05f3c804fe86ccb.zip

diff --git a/src/core/hle/kernel/errors.h b/src/core/hle/kernel/errors.h index e5fa67ae8..885259618 100644 --- a/src/core/hle/kernel/errors.h +++ b/src/core/hle/kernel/errors.h
@@ -22,6 +22,7 @@ enum {
22	HandleTableFull = 105,	22	HandleTableFull = 105,
23	InvalidMemoryState = 106,	23	InvalidMemoryState = 106,
24	InvalidMemoryPermissions = 108,	24	InvalidMemoryPermissions = 108,
		25	InvalidMemoryRange = 110,
25	InvalidThreadPriority = 112,	26	InvalidThreadPriority = 112,
26	InvalidProcessorId = 113,	27	InvalidProcessorId = 113,
27	InvalidHandle = 114,	28	InvalidHandle = 114,
@@ -56,6 +57,7 @@ constexpr ResultCode ERR_INVALID_ADDRESS(ErrorModule::Kernel, ErrCodes::InvalidA
56	constexpr ResultCode ERR_INVALID_ADDRESS_STATE(ErrorModule::Kernel, ErrCodes::InvalidMemoryState);	57	constexpr ResultCode ERR_INVALID_ADDRESS_STATE(ErrorModule::Kernel, ErrCodes::InvalidMemoryState);
57	constexpr ResultCode ERR_INVALID_MEMORY_PERMISSIONS(ErrorModule::Kernel,	58	constexpr ResultCode ERR_INVALID_MEMORY_PERMISSIONS(ErrorModule::Kernel,
58	ErrCodes::InvalidMemoryPermissions);	59	ErrCodes::InvalidMemoryPermissions);
		60	constexpr ResultCode ERR_INVALID_MEMORY_RANGE(ErrorModule::Kernel, ErrCodes::InvalidMemoryRange);
59	constexpr ResultCode ERR_INVALID_HANDLE(ErrorModule::Kernel, ErrCodes::InvalidHandle);	61	constexpr ResultCode ERR_INVALID_HANDLE(ErrorModule::Kernel, ErrCodes::InvalidHandle);
60	constexpr ResultCode ERR_INVALID_PROCESSOR_ID(ErrorModule::Kernel, ErrCodes::InvalidProcessorId);	62	constexpr ResultCode ERR_INVALID_PROCESSOR_ID(ErrorModule::Kernel, ErrCodes::InvalidProcessorId);
61	constexpr ResultCode ERR_INVALID_SIZE(ErrorModule::Kernel, ErrCodes::InvalidSize);	63	constexpr ResultCode ERR_INVALID_SIZE(ErrorModule::Kernel, ErrCodes::InvalidSize);


diff --git a/src/core/hle/kernel/svc.cpp b/src/core/hle/kernel/svc.cpp index 3afcce3fe..3e4dd61dc 100644 --- a/src/core/hle/kernel/svc.cpp +++ b/src/core/hle/kernel/svc.cpp
@@ -39,6 +39,73 @@ namespace {
39	constexpr bool Is4KBAligned(VAddr address) {	39	constexpr bool Is4KBAligned(VAddr address) {
40	return (address & 0xFFF) == 0;	40	return (address & 0xFFF) == 0;
41	}	41	}
		42
		43	// Checks if address + size is greater than the given address
		44	// This can return false if the size causes an overflow of a 64-bit type
		45	// or if the given size is zero.
		46	constexpr bool IsValidAddressRange(VAddr address, u64 size) {
		47	return address + size > address;
		48	}
		49
		50	// Checks if a given address range lies within a larger address range.
		51	constexpr bool IsInsideAddressRange(VAddr address, u64 size, VAddr address_range_begin,
		52	VAddr address_range_end) {
		53	const VAddr end_address = address + size - 1;
		54	return address_range_begin <= address && end_address <= address_range_end - 1;
		55	}
		56
		57	bool IsInsideAddressSpace(const VMManager& vm, VAddr address, u64 size) {
		58	return IsInsideAddressRange(address, size, vm.GetAddressSpaceBaseAddress(),
		59	vm.GetAddressSpaceEndAddress());
		60	}
		61
		62	bool IsInsideNewMapRegion(const VMManager& vm, VAddr address, u64 size) {
		63	return IsInsideAddressRange(address, size, vm.GetNewMapRegionBaseAddress(),
		64	vm.GetNewMapRegionEndAddress());
		65	}
		66
		67	// Helper function that performs the common sanity checks for svcMapMemory
		68	// and svcUnmapMemory. This is doable, as both functions perform their sanitizing
		69	// in the same order.
		70	ResultCode MapUnmapMemorySanityChecks(const VMManager& vm_manager, VAddr dst_addr, VAddr src_addr,
		71	u64 size) {
		72	if (!Is4KBAligned(dst_addr) \|\| !Is4KBAligned(src_addr)) {
		73	return ERR_INVALID_ADDRESS;
		74	}
		75
		76	if (size == 0 \|\| !Is4KBAligned(size)) {
		77	return ERR_INVALID_SIZE;
		78	}
		79
		80	if (!IsValidAddressRange(dst_addr, size)) {
		81	return ERR_INVALID_ADDRESS_STATE;
		82	}
		83
		84	if (!IsValidAddressRange(src_addr, size)) {
		85	return ERR_INVALID_ADDRESS_STATE;
		86	}
		87
		88	if (!IsInsideAddressSpace(vm_manager, src_addr, size)) {
		89	return ERR_INVALID_ADDRESS_STATE;
		90	}
		91
		92	if (!IsInsideNewMapRegion(vm_manager, dst_addr, size)) {
		93	return ERR_INVALID_MEMORY_RANGE;
		94	}
		95
		96	const VAddr dst_end_address = dst_addr + size;
		97	if (dst_end_address > vm_manager.GetHeapRegionBaseAddress() &&
		98	dst_addr < vm_manager.GetHeapRegionEndAddress()) {
		99	return ERR_INVALID_MEMORY_RANGE;
		100	}
		101
		102	if (dst_end_address > vm_manager.GetNewMapRegionBaseAddress() &&
		103	dst_addr < vm_manager.GetMapRegionEndAddress()) {
		104	return ERR_INVALID_MEMORY_RANGE;
		105	}
		106
		107	return RESULT_SUCCESS;
		108	}
42	} // Anonymous namespace	109	} // Anonymous namespace
43		110
44	/// Set the process heap to a given Size. It can both extend and shrink the heap.	111	/// Set the process heap to a given Size. It can both extend and shrink the heap.
@@ -69,15 +136,15 @@ static ResultCode MapMemory(VAddr dst_addr, VAddr src_addr, u64 size) {
69	LOG_TRACE(Kernel_SVC, "called, dst_addr=0x{:X}, src_addr=0x{:X}, size=0x{:X}", dst_addr,	136	LOG_TRACE(Kernel_SVC, "called, dst_addr=0x{:X}, src_addr=0x{:X}, size=0x{:X}", dst_addr,
70	src_addr, size);	137	src_addr, size);
71		138
72	if (!Is4KBAligned(dst_addr) \|\| !Is4KBAligned(src_addr)) {	139	auto* const current_process = Core::CurrentProcess();
73	return ERR_INVALID_ADDRESS;	140	const auto& vm_manager = current_process->VMManager();
74	}
75		141
76	if (size == 0 \|\| !Is4KBAligned(size)) {	142	const auto result = MapUnmapMemorySanityChecks(vm_manager, dst_addr, src_addr, size);
77	return ERR_INVALID_SIZE;	143	if (result != RESULT_SUCCESS) {
		144	return result;
78	}	145	}
79		146
80	return Core::CurrentProcess()->MirrorMemory(dst_addr, src_addr, size);	147	return current_process->MirrorMemory(dst_addr, src_addr, size);
81	}	148	}
82		149
83	/// Unmaps a region that was previously mapped with svcMapMemory	150	/// Unmaps a region that was previously mapped with svcMapMemory
@@ -85,15 +152,15 @@ static ResultCode UnmapMemory(VAddr dst_addr, VAddr src_addr, u64 size) {
85	LOG_TRACE(Kernel_SVC, "called, dst_addr=0x{:X}, src_addr=0x{:X}, size=0x{:X}", dst_addr,	152	LOG_TRACE(Kernel_SVC, "called, dst_addr=0x{:X}, src_addr=0x{:X}, size=0x{:X}", dst_addr,
86	src_addr, size);	153	src_addr, size);
87		154
88	if (!Is4KBAligned(dst_addr) \|\| !Is4KBAligned(src_addr)) {	155	auto* const current_process = Core::CurrentProcess();
89	return ERR_INVALID_ADDRESS;	156	const auto& vm_manager = current_process->VMManager();
90	}
91		157
92	if (size == 0 \|\| !Is4KBAligned(size)) {	158	const auto result = MapUnmapMemorySanityChecks(vm_manager, dst_addr, src_addr, size);
93	return ERR_INVALID_SIZE;	159	if (result != RESULT_SUCCESS) {
		160	return result;
94	}	161	}
95		162
96	return Core::CurrentProcess()->UnmapMemory(dst_addr, src_addr, size);	163	return current_process->UnmapMemory(dst_addr, src_addr, size);
97	}	164	}
98		165
99	/// Connect to an OS service given the port name, returns the handle to the port to out	166	/// Connect to an OS service given the port name, returns the handle to the port to out