`is_valid_user_ptr` (kernel/syscall/syscall.c) has an overly narrow blacklist, while `sys_sound_play` allows arbitrary reads

## Summary

`is_valid_user_ptr()` uses a blacklist that only blocks a narrow 256MB range (`0x40000000-0x50000000`), allowing user processes to read/write most kernel memory through syscalls. A similar issue exists in `sys_sound_play` where a user pointer is passed directly to the DMA driver.

## Details

### is_valid_user_ptr() blacklist bypass

`kernel/syscall/syscall.c:103-108`:

```c
if (ptr >= KERNEL_START && ptr < KERNEL_END)
    return 0;  // only blocks 0x40000000-0x50000000
return 1;      // accepts almost all other addresses
```

This allows user processes to access:
- All kernel memory above `0x50000000`
- Device MMIO registers (`0x00000000-0x0FFFFFFF` on ARM64)
- Other processes' heap memory (global shared heap at `0x10000000-0x14000000`)

### sys_sound_play arbitrary kernel memory read

`kernel/syscall/syscall.c:657-669`:

```c
if (data < 0x10000000)
    return -EFAULT;
// User pointer passed directly to DMA hardware
return intel_hda_play_pcm((const void *)data, (uint32_t)samples, ...);
```

A user process can pass a kernel address as audio data source. The HDA driver reads from that address and outputs through the audio device, leaking kernel memory contents.

## Impact

HIGH — Kernel memory read/write via syscalls, information disclosure through audio device.

## Suggested Fix

1. Use a whitelist — only allow specific user regions (heap, stack, code segments), deny everything else
2. For `sys_sound_play`, use `copy_from_user()` to copy data into a kernel buffer before passing to the driver

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`is_valid_user_ptr` (kernel/syscall/syscall.c) has an overly narrow blacklist, while `sys_sound_play` allows arbitrary reads #65

Summary

Details

is_valid_user_ptr() blacklist bypass

sys_sound_play arbitrary kernel memory read

Impact

Suggested Fix

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

is_valid_user_ptr (kernel/syscall/syscall.c) has an overly narrow blacklist, while sys_sound_play allows arbitrary reads #65

Description

Summary

Details

is_valid_user_ptr() blacklist bypass

sys_sound_play arbitrary kernel memory read

Impact

Suggested Fix

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

`is_valid_user_ptr` (kernel/syscall/syscall.c) has an overly narrow blacklist, while `sys_sound_play` allows arbitrary reads #65