cvs commit: src/sys/kern kern_sysctl.c

Constantine A. Murenin cnst at
Mon Sep 3 12:07:07 PDT 2007

On 02/09/07, Robert Watson <rwatson at> wrote:
> rwatson     2007-09-02 09:59:33 UTC
>   FreeBSD src repository
>   Modified files:
>     sys/kern             kern_sysctl.c
>   Log:
>   In userland_sysctl(), call useracc() with the actual newlen value to be
>   used, rather than the one passed via 'req', which may not reflect a
>   rewrite.  This call to useracc() is redundant to validation performed by
>   later copyin()/copyout() calls, so there isn't a security issue here,

Yes, the above is correct.  E.g. down the line in
sysctl_handle_string(9), the SYSCTL_IN() macro is used to call
sysctl_new_user(9), which uses copyin(9).

>   but this could technically lead to excessive validation of addresses if
>   the length in newlen is shorter than req.newlen.

No, this is actually not the case -- 'newlen' can never be less than
'req.newlen', because both are of 'size_t' type, and the 'req'
structure is bzero'ed at the beginning of userland_sysctl(). Hence,
before this fix, useracc(9) in question was called with a zero as its
'len' parameter.

I think it is also noteworthy to mention that this a 12-year-old bug.
It was introduced in 1995 (kern_sysctl.c#rev1.38), although this line
was touched slightly in 1999 (kern_sysctl.c#rev1.91).

Best regards,

>   Approved by:    re (kensmith)
>   Reviewed by:    jhb
>   Submitted by:   Constantine A. Murenin <cnst+freebsd at>
>   Sponsored by:   Google Summer of Code 2007
>   Revision  Changes    Path
>   1.177     +1 -1      src/sys/kern/kern_sysctl.c

More information about the cvs-src mailing list