Summary
sys_brk, sys_mmap, and sys_munmap use global variables (user_brk_current, user_mmap_current) and a global fd_table to manage user heap. All processes share the same address space and file descriptors — there is no per-process isolation.
Details
kernel/syscall/syscall.c:28, 369-371:
static struct fd_entry fd_table[MAX_FDS]; // global fd table
static uint64_t user_brk_current = USER_HEAP_START; // global heap pointer
static uint64_t user_mmap_current = USER_HEAP_START + USER_HEAP_SIZE / 2;
Process A allocates heap memory via sys_brk in the range 0x10000000-0x12000000. Process B can directly read/write Process A's data through sys_read(fd, 0x10001000, 4096) or by using the same address range.
Impact
MEDIUM — Cross-process information disclosure and privilege escalation. Any process can read/write any other process's memory and file descriptors. Relevant in multi-user or multi-process environments.
Suggested Fix
Implement per-process address space management (mm_struct equivalent) with separate brk pointers, mmap regions, and fd tables.
Summary
sys_brk,sys_mmap, andsys_munmapuse global variables (user_brk_current,user_mmap_current) and a globalfd_tableto manage user heap. All processes share the same address space and file descriptors — there is no per-process isolation.Details
kernel/syscall/syscall.c:28, 369-371:Process A allocates heap memory via
sys_brkin the range0x10000000-0x12000000. Process B can directly read/write Process A's data throughsys_read(fd, 0x10001000, 4096)or by using the same address range.Impact
MEDIUM — Cross-process information disclosure and privilege escalation. Any process can read/write any other process's memory and file descriptors. Relevant in multi-user or multi-process environments.
Suggested Fix
Implement per-process address space management (
mm_structequivalent) with separate brk pointers, mmap regions, and fd tables.