From 332d39445ce93aa9b70e7d5d4254d7be233657b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juhani=20Krekel=C3=A4?= <juhani@krekelä.fi>
Date: Wed, 9 Feb 2022 19:53:38 +0200
Subject: [PATCH] Fix handling of bad file descriptors in dup(2).

Previously, sys_dup() would do dtable->Get() on the passed in-file
descriptor and then pass the result directly to dtable->Allocate(). If
the file descriptor is not valid, dtable->Get() returns a NULL reference
and sets errno to mark the error. Since sys_dup() did not check the
return value of dtable->Get() and dtable->Allocate() does not check
whether the passed in Ref<Descriptor> is a NULL reference, dup(2) with
invalid file descriptor would succesfully allocate a new file descriptor
with garbage contents.

This commit changes sys_dup() to use a variant of dtable->Allocate()
that takes in a file descriptor as an integer and properly validates it
before use.
---
 kernel/io.cpp | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/kernel/io.cpp b/kernel/io.cpp
index 77a50233..bf05903d 100644
--- a/kernel/io.cpp
+++ b/kernel/io.cpp
@@ -138,9 +138,7 @@ int sys_closefrom(int fd)
 
 int sys_dup(int fd)
 {
-	Ref<DescriptorTable> dtable = CurrentProcess()->GetDTable();
-	Ref<Descriptor> desc = dtable->Get(fd);
-	return dtable->Allocate(desc, 0);
+	return CurrentProcess()->GetDTable()->Allocate(fd, 0);
 }
 
 int sys_dup3(int oldfd, int newfd, int flags)