FreeBSD Kernel buffer overflow

Xin LI delphij at
Sat Sep 18 12:18:27 PDT 2004

On Sat, Sep 18, 2004 at 12:10:14PM +0200, gerarra at wrote:
> In my post I told that this is *NOT* exploitable but if somebody finds a
> method? what you can say? In underground comunities it's not so rare, patching
> is better than having a new exploits for freebsd. I was very deluded by
> this approach to potential security problem...
> (I repeat: *POTENTIAL*).

You have some different idea from ours.  However, I think it might be
useful to clarify our idea.

	1. A kernel must trust itself in order for it to be efficient.
	   It is not bad to have sanity checks, but checking it repeatly
	   will pose a performance pain.  With this in mind, the correct
	   approach might be to have sanity check in the entry point,
	   rather than having it everywhere.

	   This is say, a input procedure must have everything in a
	   sanity state in its early stage and, in addition, same check
	   should not be done in elsewhere because it just repeatly
	   check what is guaranteed to be true, in a production kernel
	   this is not quite useful and even in a debug kernel it is
	   not perferred approach because we don't have to explicitly
	   have if(1==1) or something like this.

	2. As many people in this discussion has pointed out, it is
	   necessary to have root access in order to alter a system
	   call.  That is say, that in order to successfully exploit
	   this "vulnerablity" you have to be root first, and we have
	   infinite "exploits" in this situation, because the attacker
	   already got the ultimate power.

	   We don't need to fear someone who already killed us, right?

	3. Security is determined by the weakest tach.  With this in
	   concern, let's think about the following scenario:

	   Every system calls have correct sanity check in their
	   entry point while foo() have not.

	   Someone has injected foo() with another way to have some
	   code in kernel.

	   The kernel code exploited the issue you mentioned.

	   But is it actually wrong with the issue?  Isn't it the
	   weakest tach within the foo() system call?  Shouldn't it
	   be fixed?

Hope this is helpful for the debate, and hope I have expressed my idea
correctly.  With these consideration, I think it is not very necessary
to have the sanity check of parameter numbers for a system call entry
because it need root access already and if the gain of root is considered
harmful, then it's not the sanity of parameter numbers check but the
actual problem should be fixed. 

Xin LI <delphij frontfree net>
See complete headers for GPG key and other information.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-hackers mailing list