From 8297c769e658e953fc72854a7345e65ed8e632cd Mon Sep 17 00:00:00 2001 From: TomAwezome Date: Mon, 12 Sep 2022 00:41:09 -0400 Subject: [PATCH] Fix zealbooter memmap kernel header buffer-overflow. Previously the zealbooter memmap e820 assignment loop used the entry count value passed via limine, without checking if it was over MEM_E820_ENTRIES_NUM, the #define constant value limit of entries that are stored in the kernel header's e820 region. This commit bumps up the constant entry count to 64 from 48, and also adds a small check in zealbooter to ensure that the entry count value used in the memmap loop caps off at the constant value. --- src/Kernel/KernelA.HH | 4 ++-- zealbooter/trampoline.S | 3 --- zealbooter/zealbooter.c | 20 +++++++++++++++++--- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/src/Kernel/KernelA.HH b/src/Kernel/KernelA.HH index 56e6fd03..c70c2cb5 100755 --- a/src/Kernel/KernelA.HH +++ b/src/Kernel/KernelA.HH @@ -427,7 +427,7 @@ class CSysLimitBase }; #help_index "Memory/Info" -#define MEM_E820_ENTRIES_NUM 48 +#define MEM_E820_ENTRIES_NUM 64 #define MEM_E820t_USABLE 1 #define MEM_E820t_RESERVED 2 #define MEM_E820t_ACPI 3 @@ -4546,4 +4546,4 @@ class CProgress #define PRINTF_NEG_E 0x400 #define PRINTF_NEG_AUX_FORMAT_NUM 0x800 -#help_index "" \ No newline at end of file +#help_index "" diff --git a/zealbooter/trampoline.S b/zealbooter/trampoline.S index c8897ff3..62398b05 100644 --- a/zealbooter/trampoline.S +++ b/zealbooter/trampoline.S @@ -5,9 +5,6 @@ trampoline: // Set new stack mov %rdx, %rsp -// hlt -// hlt - // Load GDTR lgdt (%rcx) diff --git a/zealbooter/zealbooter.c b/zealbooter/zealbooter.c index eab4a057..500165f0 100644 --- a/zealbooter/zealbooter.c +++ b/zealbooter/zealbooter.c @@ -44,7 +44,7 @@ struct CDate { int32_t date; } __attribute__((packed)); -#define MEM_E820_ENTRIES_NUM 48 +#define MEM_E820_ENTRIES_NUM 64 #define MEM_E820T_USABLE 1 #define MEM_E820T_RESERVED 2 @@ -243,8 +243,22 @@ void _start(void) { kernel->mem_physical_space = 0; + size_t mem_count = 0; + if (memmap_request.response->entry_count > MEM_E820_ENTRIES_NUM) + { + mem_count = MEM_E820_ENTRIES_NUM; + // If limine hands us more regions than the constant, cap it off early instead of buffer overflowing into kernel headers. + // This won't guarantee we'll get lucky with framebuffer placement passed via limine. + // If the mem_count gets capped at the constant, the system should still boot fully (drive activity lights, reading compiler and code from disc, etc), + // just possibly with no visible framebuffer. :^) + } + else + { + mem_count = memmap_request.response->entry_count; + } + printf("memory map:\n"); - for (size_t i = 0; i < memmap_request.response->entry_count; i++) { + for (size_t i = 0; i < mem_count; i++) { struct limine_memmap_entry *entry = memmap_request.response->entries[i]; int our_type; @@ -293,7 +307,7 @@ void _start(void) { } printf("\n"); - kernel->mem_E820[memmap_request.response->entry_count].type = 0; + kernel->mem_E820[mem_count].type = 0; kernel->mem_physical_space = align_up_u64(kernel->mem_physical_space, 0x200000);