FreeBSD Kernel buffer overflow
gerarra at tin.it
gerarra at tin.it
Sun Sep 19 14:05:17 PDT 2004
>Don,
>
>This sounds excellent. Can an src-committer verify that the following
is
>ok and commit it along with the manpage diff I posted earlier to HEAD?
>
>The hard-wired number 8 in there seems like something that could probably
>be improved a lot, but after looking for a short while I couldn't find
a
>good way of finding out from the arguments of syscall_register() some way
>to calculate it. Of course, I'm far from an experienced kernel hacker
and
>I'm probably missing something. Feel free to correct the following diff
>or
>even replace it entirely.
Maybe you can get a look at this approach:
==================================
$arch/include/md_var.h:
> cat md_var.diff
--- md_var2.h Sun Sep 19 22:43:56 2004
+++ md_var.h Sun Sep 19 22:46:23 2004
@@ -41,6 +41,12 @@
extern int (*copyin_vector)(const void *udaddr, void *kaddr, size_t
len);
extern int (*copyout_vector)(const void *kaddr, void *udaddr, size_t
len);
+/*
+ * Arguments number syscalls definition
+ */
+
+#define MAGIC_SYSCALL_ARGS 8
+
extern long Maxmem;
extern u_int basemem; /* PA of original top of base memory */
extern int busdma_swi_pending;
================================
kern/kern_syscall.c:
> cat kern_syscall.diff
--- kern_syscalls.c Sat Sep 18 13:42:21 2004
+++ kern_syscalls2.c Sun Sep 19 23:00:44 2004
@@ -27,6 +27,8 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: src/sys/kern/kern_syscalls.c,v 1.11 2004/07/15 08:26:05
phk Exp $");
+#include <machine/md_var.h>
+
#include <sys/param.h>
#include <sys/sysproto.h>
#include <sys/sysent.h>
@@ -58,6 +60,9 @@
syscall_register(int *offset, struct sysent *new_sysent,
struct sysent *old_sysent)
{
+ if (new_sysent->sy_narg < 0 || new_sysent->sy_narg > MAGIC_SYSCALL_ARGS)
+ return EINVAL;
+
if (*offset == NO_SYSCALL) {
int i;
==============================
i386/i386/trap.c
--- trap.c Sat Sep 18 14:30:19 2004
+++ trap2.c Sun Sep 19 22:47:33 2004
@@ -902,7 +902,7 @@
u_int sticks;
int error;
int narg;
- int args[8];
+ int args[MAGIC_SYSCALL_ARGS];
u_int code;
/*
The idea is that for every architecture MAGIC_SYSCALL_ARGS can be defined
in md_var.h (it's alredy included in handlers sources). Here just i386 example
is done to show approach. It could be more flexible than a static approach.
I hope you will enjoy it.
rookie
More information about the freebsd-hackers
mailing list