#define HAL_MM_MAP_RW (1u << 0)
+/* User space address bounds (architecture-specific) */
+#define HAL_MM_USER_MIN_ADDR 0x08000000U /* Conservative lower bound for user mappings */
+
int hal_mm_map_physical_range(uintptr_t phys_start, uintptr_t phys_end, uint32_t flags, uintptr_t* out_virt);
uintptr_t hal_mm_phys_to_virt(uintptr_t phys);
* real arg2 = *(ECX + 8)
*
* SECURITY: validate ECX is in user space before dereferencing.
- * If ECX >= 0xC0000000 (kernel base), it could leak kernel data.
+ * Use hal_mm_kernel_virt_base() to get dynamic kernel base.
* Also check ECX is at least 8 bytes from kernel boundary.
*/
- cmpl $0xC0000000, %ecx
+ call hal_mm_kernel_virt_base
+ cmpl %eax, %ecx
jae 1f
cmpl $8, %ecx /* ECX must be at least 8 bytes from kernel boundary */
jb 1f
/* Detect 32-bit overflow in p_vaddr + base */
if (p_vaddr > (UINT32_MAX - base)) continue;
uint32_t vaddr = p_vaddr + base;
- if (vaddr >= 0xC0000000U) continue;
+ uintptr_t kern_base = hal_mm_kernel_virt_base();
+ if (kern_base && vaddr >= kern_base) continue;
/* Detect 32-bit overflow in vaddr + p_memsz */
if (p_memsz > (UINT32_MAX - vaddr)) continue;
/* Read symbol count from DT_HASH if available: hash[1] = nchain = nsyms */
uint32_t nsyms = 0;
- if (hash_va && hash_va < 0xC0000000U) {
+ uintptr_t kern_base = hal_mm_kernel_virt_base();
+ if (hash_va && kern_base && hash_va < kern_base) {
nsyms = *(uint32_t*)(hash_va + 4);
}
if (kern_base && end > kern_base) { sc_ret(regs) = (uint32_t)-ENOMEM; return; }
}
- /* Check stack region (user stack is below 0xC0000000, typically around 0xBFxxxxxx) */
+ /* Check stack region (user stack is below kernel base, typically around 0xBFxxxxxx) */
if (!owned) {
uintptr_t kern_base = hal_mm_kernel_virt_base();
- if (kern_base && addr < kern_base && addr >= 0x08000000U)
+ if (kern_base && addr < kern_base && addr >= HAL_MM_USER_MIN_ADDR)
owned = 1; /* Conservative: allow for text/data/bss/stack regions */
}
projects / AdrOS.git / commitdiff