From 4848c7fe125bcb6151894fb6a4620e0d5e8e2f6c Mon Sep 17 00:00:00 2001
From: Tulio A M Mendes <tadryanom@hotmail.com>
Date: Tue, 26 May 2026 02:13:17 -0300
Subject: [PATCH] security: remove hardcoded fixed VAs, use
 hal_mm_kernel_virt_base() (Fase 2)

---
 include/hal/mm.h        |  3 +++
 src/arch/x86/sysenter.S |  5 +++--
 src/kernel/syscall.c    | 10 ++++++----
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/include/hal/mm.h b/include/hal/mm.h
index ff14f79e..52133ea9 100644
--- a/include/hal/mm.h
+++ b/include/hal/mm.h
@@ -14,6 +14,9 @@
 
 #define HAL_MM_MAP_RW  (1u << 0)
 
+/* User space address bounds (architecture-specific) */
+#define HAL_MM_USER_MIN_ADDR  0x08000000U  /* Conservative lower bound for user mappings */
+
 int hal_mm_map_physical_range(uintptr_t phys_start, uintptr_t phys_end, uint32_t flags, uintptr_t* out_virt);
 
 uintptr_t hal_mm_phys_to_virt(uintptr_t phys);
diff --git a/src/arch/x86/sysenter.S b/src/arch/x86/sysenter.S
index 81a3c387..c8cd9902 100644
--- a/src/arch/x86/sysenter.S
+++ b/src/arch/x86/sysenter.S
@@ -82,10 +82,11 @@ sysenter_entry:
      *   real arg2 = *(ECX + 8)
      *
      * SECURITY: validate ECX is in user space before dereferencing.
-     * If ECX >= 0xC0000000 (kernel base), it could leak kernel data.
+     * Use hal_mm_kernel_virt_base() to get dynamic kernel base.
      * Also check ECX is at least 8 bytes from kernel boundary.
      */
-    cmpl $0xC0000000, %ecx
+    call hal_mm_kernel_virt_base
+    cmpl %eax, %ecx
     jae  1f
     cmpl $8, %ecx        /* ECX must be at least 8 bytes from kernel boundary */
     jb   1f
diff --git a/src/kernel/syscall.c b/src/kernel/syscall.c
index ed85615b..2ec485e2 100644
--- a/src/kernel/syscall.c
+++ b/src/kernel/syscall.c
@@ -411,7 +411,8 @@ static int syscall_dlopen_impl(const char* user_path) {
         /* Detect 32-bit overflow in p_vaddr + base */
         if (p_vaddr > (UINT32_MAX - base)) continue;
         uint32_t vaddr = p_vaddr + base;
-        if (vaddr >= 0xC0000000U) continue;
+        uintptr_t kern_base = hal_mm_kernel_virt_base();
+        if (kern_base && vaddr >= kern_base) continue;
 
         /* Detect 32-bit overflow in vaddr + p_memsz */
         if (p_memsz > (UINT32_MAX - vaddr)) continue;
@@ -497,7 +498,8 @@ static int syscall_dlopen_impl(const char* user_path) {
 
     /* Read symbol count from DT_HASH if available: hash[1] = nchain = nsyms */
     uint32_t nsyms = 0;
-    if (hash_va && hash_va < 0xC0000000U) {
+    uintptr_t kern_base = hal_mm_kernel_virt_base();
+    if (hash_va && kern_base && hash_va < kern_base) {
         nsyms = *(uint32_t*)(hash_va + 4);
     }
 
@@ -4367,10 +4369,10 @@ void syscall_handler(struct registers* regs) {
             if (kern_base && end > kern_base) { sc_ret(regs) = (uint32_t)-ENOMEM; return; }
         }
 
-        /* Check stack region (user stack is below 0xC0000000, typically around 0xBFxxxxxx) */
+        /* Check stack region (user stack is below kernel base, typically around 0xBFxxxxxx) */
         if (!owned) {
             uintptr_t kern_base = hal_mm_kernel_virt_base();
-            if (kern_base && addr < kern_base && addr >= 0x08000000U)
+            if (kern_base && addr < kern_base && addr >= HAL_MM_USER_MIN_ADDR)
                 owned = 1;  /* Conservative: allow for text/data/bss/stack regions */
         }
 
-- 
2.43.0