userspace: Additional checks in K_SYSCALL_MEMORY

This macros needed additional checks before invoking
arch_buffer_validate.

- size can not be less then 0. Some functions invoke this macro
  using signed type which will be promote to unsigned when invoking
  arch_buffer_validate. We need to do an early check.
- We need to check for possible overflow, since a malicious user
  application could use a negative number that would be promoted
  to a big value that would cause a integer overflow when adding it
  to the buffer address, leading to invalid checks.

Signed-off-by: Flavio Ceolin <[email protected]>

Author: Flavio Ceolin

include/syscall_handler.h

@@ -346,8 +346,9 @@ extern int z_user_string_copy(char *dst, const char *src, size_t maxlen);
  * @return 0 on success, nonzero on failure
  */
 #define Z_SYSCALL_MEMORY(ptr, size, write) \
-	Z_SYSCALL_VERIFY_MSG(arch_buffer_validate((void *)ptr, size, write) \
-			     == 0, \
+	Z_SYSCALL_VERIFY_MSG((size >= 0) && !Z_DETECT_POINTER_OVERFLOW(ptr, size) \
+			     && (arch_buffer_validate((void *)ptr, size, write) \
+			     == 0), \
 			     "Memory region %p (size %zu) %s access denied", \
 			     (void *)(ptr), (size_t)(size), \
 			     write ? "write" : "read")