From: Tulio A M Mendes <tadryanom@hotmail.com>
Date: Tue, 26 May 2026 05:21:07 +0000 (-0300)
Subject: security: handle copy_to_user failures in socket syscalls (Fase 3)
X-Git-Url: https://projects.tadryanom.me/?a=commitdiff_plain;h=15abebec1430fb27da4c513ed7f8fdf1aff8595d;p=AdrOS.git

security: handle copy_to_user failures in socket syscalls (Fase 3)
---

diff --git a/src/kernel/syscall.c b/src/kernel/syscall.c
index d62ba309..c9b764d9 100644
--- a/src/kernel/syscall.c
+++ b/src/kernel/syscall.c
@@ -4914,7 +4914,11 @@ static void extended_syscall_dispatch(struct registers* regs, uint32_t syscall_n
         int new_fd = fd_alloc(f);
         if (new_fd < 0) { sock_node_close(sn); kfree(f); sc_ret(regs) = (uint32_t)-EMFILE; return; }
         if (sc_arg1(regs)) {
-            (void)copy_to_user((void*)sc_arg1(regs), &sa, sizeof(sa));
+            if (user_range_ok((void*)sc_arg1(regs), sizeof(sa)) == 0) {
+                if (copy_to_user((void*)sc_arg1(regs), &sa, sizeof(sa)) < 0) {
+                    sock_node_close(sn); kfree(f); fd_close(new_fd); sc_ret(regs) = (uint32_t)-EFAULT; return;
+                }
+            }
         }
         sc_ret(regs) = (uint32_t)new_fd;
         return;
@@ -5026,7 +5030,11 @@ static void extended_syscall_dispatch(struct registers* regs, uint32_t syscall_n
                 kfree(kbuf_r); sc_ret(regs) = (uint32_t)-EFAULT; return;
             }
             if (sc_arg4(regs)) {
-                (void)copy_to_user((void*)sc_arg4(regs), &src, sizeof(src));
+                if (user_range_ok((void*)sc_arg4(regs), sizeof(src)) == 0) {
+                    if (copy_to_user((void*)sc_arg4(regs), &src, sizeof(src)) < 0) {
+                        kfree(kbuf_r); sc_ret(regs) = (uint32_t)-EFAULT; return;
+                    }
+                }
             }
         }
         kfree(kbuf_r);
@@ -5340,7 +5348,11 @@ static void extended_syscall_dispatch(struct registers* regs, uint32_t syscall_n
         memset(&sa, 0, sizeof(sa));
         int r = ksocket_getpeername(sid, &sa);
         if (r == 0 && sc_arg1(regs)) {
-            (void)copy_to_user((void*)sc_arg1(regs), &sa, sizeof(sa));
+            if (user_range_ok((void*)sc_arg1(regs), sizeof(sa)) == 0) {
+                if (copy_to_user((void*)sc_arg1(regs), &sa, sizeof(sa)) < 0) {
+                    sc_ret(regs) = (uint32_t)-EFAULT; return;
+                }
+            }
         }
         sc_ret(regs) = (uint32_t)r;
         return;
@@ -5353,7 +5365,11 @@ static void extended_syscall_dispatch(struct registers* regs, uint32_t syscall_n
         memset(&sa, 0, sizeof(sa));
         int r = ksocket_getsockname(sid, &sa);
         if (r == 0 && sc_arg1(regs)) {
-            (void)copy_to_user((void*)sc_arg1(regs), &sa, sizeof(sa));
+            if (user_range_ok((void*)sc_arg1(regs), sizeof(sa)) == 0) {
+                if (copy_to_user((void*)sc_arg1(regs), &sa, sizeof(sa)) < 0) {
+                    sc_ret(regs) = (uint32_t)-EFAULT; return;
+                }
+            }
         }
         sc_ret(regs) = (uint32_t)r;
         return;