From 8f8f09ac82b7f8b3a9b4bcd8d9122ac811c059e5 Mon Sep 17 00:00:00 2001
From: Jonas 'Sortie' Termansen <sortie@maxsi.org>
Date: Sun, 19 Jan 2014 18:22:53 +0100
Subject: [PATCH] Fix insecure user-space pointer dereferences in sys_tfork.

---
 sortix/process.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sortix/process.cpp b/sortix/process.cpp
index 5dbf52f5..d4ddcd71 100644
--- a/sortix/process.cpp
+++ b/sortix/process.cpp
@@ -930,8 +930,12 @@ cleanup_done:
 	return result;
 }
 
-static pid_t sys_tfork(int flags, tforkregs_t* regs)
+static pid_t sys_tfork(int flags, tforkregs_t* user_regs)
 {
+	tforkregs_t regs;
+	if ( !CopyFromUser(&regs, user_regs, sizeof(regs)) )
+		return -1;
+
 	if ( Signal::IsPending() )
 		return errno = EINTR, -1;
 
@@ -940,7 +944,7 @@ static pid_t sys_tfork(int flags, tforkregs_t* regs)
 		return errno = ENOSYS, -1;
 
 	CPU::InterruptRegisters cpuregs;
-	InitializeThreadRegisters(&cpuregs, regs);
+	InitializeThreadRegisters(&cpuregs, &regs);
 
 	// TODO: Is it a hack to create a new kernel stack here?
 	Thread* curthread = CurrentThread();