Skip to content

πŸ”’ Fix missing arena bounds check in obj_bump#26

Closed
undivisible wants to merge 1 commit into
mainfrom
security-fix-obj-bump-bounds-11355866470254841318
Closed

πŸ”’ Fix missing arena bounds check in obj_bump#26
undivisible wants to merge 1 commit into
mainfrom
security-fix-obj-bump-bounds-11355866470254841318

Conversation

@undivisible

@undivisible undivisible commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

🎯 What: Fixed a vulnerability in the obj_bump object arena bump allocator which lacked boundary checks, potentially allowing unbounded memory allocations.
⚠️ Risk: Without a bounds check, excessive allocations could write past the end of the obj_arena, leading to buffer overflows, kernel data corruption, and potentially allowing arbitrary code execution or crashes (Denial of Service).
πŸ›‘οΈ Solution: Introduced the obj_arena_end variable which tracks the upper bound of the object arena. Updated obj_bump to verify that next pointers do not surpass obj_arena_end. If the bound is exceeded, unreachable() is triggered, immediately halting execution and safely preventing exploitation of the buffer overflow.

PR created automatically by Jules for task 11355866470254841318 started by @undivisible

@undivisible @google-labs-jules
Fix missing arena bounds check in obj_bump
67a9027 
Added `obj_arena_end` tracking to `obj_arena_init` and checked if allocations exceed it in `obj_bump`, calling `unreachable()` if so.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
@google-labs-jules

google-labs-jules Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

undivisible added a commit that referenced this pull request Jun 29, 2026
@undivisible
fix: merge clean PRs and libc/allocator security batch
22933b8 
- Fix stray brace in kernel-root.in and remove dead thr_exit return
- Add heap/obj_arena bounds checks (PRs #30, #26)
- Harden malloc/calloc/realloc; replace strcpy with strlcpy; remove strcat
  (PRs #20, #18, #21, #28, #15)
- Split nvme_pci_init, restore e1000_rx_poll, use FS_MAX_FILES constants
  (PRs #14, #17, #16)
- Refresh context.md ponytail index after service-wrapper deletion
@undivisible

undivisible commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Changes applied directly on main (rebased past shell.in extraction and service-wrapper deletion). Used panic() instead of unreachable()/assert() where the PRs referenced undefined helpers.

@undivisible

undivisible commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Merged to main in 22933b8. Changes applied directly on main (rebased past shell.in extraction and service-wrapper deletion). Used panic() instead of unreachable()/assert() where the PRs referenced undefined helpers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@undivisible