feat(process): 添加对fs/gs的用户空间地址验证#1336
Merged
fslongjin merged 1 commit intoDragonOS-Community:masterfrom Nov 4, 2025
Merged
Conversation
Member
fslongjin
commented
Nov 3, 2025
fslongjin
commented
- 在ARCH_SET_FS和ARCH_SET_GS系统调用中添加FS/GS地址的用户空间验证
- 在进程克隆时添加TLS地址的用户空间验证
- 新增KernelCloneArgs::verify()方法用于验证克隆参数
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR enables fork test support and adds address validation for thread-local storage (TLS) and segment base addresses. The changes improve security by verifying user-space addresses before they are used in clone operations and arch_prctl syscalls.
- Enabled
fork_testin the gvisor test whitelist with an associated blocklist - Added TLS address validation in
KernelCloneArgs::verify() - Added address validation for FS/GS base registers in
arch_prctlsyscall - Modified process cleanup to ignore errors when unregistering from procfs
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| user/apps/tests/syscall/gvisor/whitelist.txt | Enabled fork_test in the test suite |
| user/apps/tests/syscall/gvisor/blocklists/fork_test | Added blocklist for fork test cases that are known to fail |
| kernel/src/process/syscall/clone_utils.rs | Added verification call before processing clone arguments |
| kernel/src/process/mod.rs | Changed procfs unregistration to ignore errors during cleanup |
| kernel/src/process/fork.rs | Added verify method to validate TLS address and moved verification before PCB creation |
| kernel/src/arch/x86_64/process/syscall.rs | Added address validation for FS and GS base addresses in arch_prctl |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- 在ARCH_SET_FS和ARCH_SET_GS系统调用中添加FS/GS地址的用户空间验证 - 在进程克隆时添加TLS地址的用户空间验证 - 新增KernelCloneArgs::verify()方法用于验证克隆参数 Signed-off-by: longjin <longjin@DragonOS.org>
fslongjin
force-pushed
the
add-verify-to-fs-and-gs
branch
from
dc9e9b1 to
b55f987
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.