FreeBSD Kernel buffer overflow

Fri Sep 17 04:24:16 PDT 2004

gerarra at tin.it wrote:
> 
>>Some architectures are limited in the numer of arguments that they allow
>>to be
>>passed as direct values in a syscall.  It is considerred pretty bad style
>>to
>>use too many. If one wants to pass more data then it is preferable to have
>>a structure and pass a POINTER to it.
>>
> 
> 
> I wonder why you repeat obvious things...

Because you are not listenning maybe? (as just about everyone on IRC
has commented, so it's not just me. I'm just he guy who decided to
answer you..).

> 
> 
>>Suggesting that the linit of 8 be upped however is a lot different from
> 
> coming
> 
>>out of nowhere claining that there is a big problem with buffer over-runs
>>(which are interpretted as security flaws)
>>
> 
> 
> You don't seem so practice in security. Let me say one thing. A lot of exploits
> are done for parts initially "not exploitable". The fact you and me haven't
> found a way to do that doesn't mean it can't be done...

LISTEN!
YOU CAN NOT CHANGE THE NUMBER OF ARGUMENTS ON A SYSCALL UNLESS YOU ARE ROOT 
ALREADY! OK? if you can then there are much more interesting targets to go
after than that..

> 
> 
>>Nowhere did you suggest that your aim is to increase the number
>>of arguments acceptable to a syscall but rather you presented the problem
>>as
>>a consistency problem.
>>
> 
> 
> Maybe you need to read again my first advisory. And maybe the whole topic...

You did you give an advisory. you gave a misinformed misleading email about
something that is not a problem.

> 
> 
>>As a matter of style ond consistency the way that I perceive the developers
>>as
>>taking in our discussions is that 8 is far more than enough and that
>>a debug failure for > 8 would be just fine.
>>
> 
> 
> IMHO is not a good patch, but if you want...
> 
> 
>>If you can show your patch and it is of a high quality then it will be
> 
> a
> 
>>lot 
>>more useful to your cause than making a lot of misleading and misdirected
>>claims on the mailing lists, and wasting everyone's time for a problem
> 
> that
> 
>>really doesn't exist..
> 
> 
> The problem exists. Even a good "You can't add more than 8 arguments to
> your syscall (without wrapping in struct)" in some handbook could be useful.
> I don't thing I'm wasting time of everyone, that's just a bug report and
> the fact *you* thing is not a problem doesn't mean it doesn't exist.

Asking for this fact to be documented somewhere is a far cry from your
initial "advisory.

What you SHOULD have done is as follows.

"In a private project I am doing I need to add a syscall with more than
  8 arguments. In order to allow me to do this I needed to add the following
patch. .. [shows patch]..
Since this patch is of no real cost and adds functionality, could it please be 
incorporated. I have submitted it in pr kern/xyzzy"

That would have gotten you a lot more positive response than a false advisory.
(though you would have probably been told by most people to use copyin/copyout
and a structure because the syscall interface is one of the parts of the system
that is under current  scrutiny for improvement and optimisation and people 
aretupid a
likely to consider mor ethan 8 arguments as not a necessity if it slows things
down at all.

I've been doing this for 30 years and on BSD for 15 years so I DO know what I
am talking about when I say that what you pointed out is understood as NOT A
SECURITY ISSUE by everyone concerned. It's like complaining that the seats on
a jumbo cannot withstand 800C temperature... if you have 800C on the seats
you have bigger problems to worry about.

so if you decide to rephrse what you want we'll listen to you.
if you want to go around making false bug reports then that's ok too
but we won't listen.. it's your choice.

> 
> 
> 