FreeBSD Kernel buffer overflow
gerarra at tin.it
gerarra at tin.it
Sat Sep 18 06:34:13 PDT 2004
Here i report a patch different from Giorgos' one. The approch is completely
different: working on syscall_register() function in kern/kern_syscalls.c
file.
==============================
> cat kern_syscalls.diff
--- kern_syscalls.c Sat Sep 18 14:37:53 2004
+++ kern_syscalls2.c Sat Sep 18 14:37:53 2004
@@ -73,6 +73,11 @@
sysent[*offset].sy_call != (sy_call_t *)lkmressys)
return EEXIST;
+#if (__i386__) && (INVARIANTS)
+ KASSERT(new_sysent->nargs >= 0 && new_sysent->nargs <= i386_SYS_ARGS,
+ "invalid number of syscalls");
+#endif
+
*old_sysent = sysent[*offset];
sysent[*offset] = *new_sysent;
return 0;
==============================
> cat trap.diff
--- trap.c Sat Sep 18 14:38:00 2004
+++ trap2.c Sat Sep 18 14:38:00 2004
@@ -902,7 +902,7 @@
u_int sticks;
int error;
int narg;
- int args[8];
+ int args[i386_SYS_ARGS];
u_int code;
/*
==============================
> cat cdefs.diff
--- cdefs.h Sat Sep 18 14:37:38 2004
+++ cdefs2.h Sat Sep 18 14:37:38 2004
@@ -467,4 +467,6 @@
#endif
#endif
+#define i386_SYS_ARGS 8
+
#endif /* !_SYS_CDEFS_H_ */
The main improvement is that it doesn't affect handler performance (even
in INVARIANTS compiled kernels) and check is done once. It could be enough
clear. You can download tgz in http://www.gufi.org/~rookie/args-diff.tar.gz
goodbye,
rookie
More information about the freebsd-hackers
mailing list