FreeBSD Kernel buffer overflow
gerarra at tin.it
gerarra at tin.it
Mon Sep 20 05:28:35 PDT 2004
><machine/param.h> which is installed from
>src/sys/{alpha,amd64,i386,ia64,etc}/param.h would be a more appropriate
>location. There may be cases where you would want to know this value in
>userland, in which case including <machine/md_var.h> would definitely
>not be appropriate.
>
>My preference would be to name it MAX_SYSCALL_ARGS.
>
I followed your suggestions and I made changes. Now this is patch available.
I did for amd64, sparc64, i386 and alpha since ia64 is not affected. I report
i386 solution (for complete diffs tree and other architectures support download
patch http://www.gufi.org/~rookie/args-diff.tar.gz):
============================================
$arch/include/param.h
> cat i386_param.diff
--- param2.h Mon Sep 20 14:09:44 2004
+++ param.h Mon Sep 20 13:59:05 2004
@@ -122,6 +122,8 @@
#define VM_BCACHE_SIZE_MAX (200 * 1024 * 1024)
#endif
+#define MAX_SYSCALL_ARGS 8
+
/*
* Mach derived conversion macros
*/
=================================
$arch/$arch/trap.c
> cat i386_trap.diff
--- trap2.c Mon Sep 20 14:09:27 2004
+++ trap.c Mon Sep 20 14:03:23 2004
@@ -902,7 +902,7 @@
u_int sticks;
int error;
int narg;
- int args[8];
+ int args[MAX_SYSCALL_ARGS];
u_int code;
/*
================================
kern/kern_syscalls.c
> cat kern_syscalls.diff
--- kern_syscalls.c Sat Sep 18 13:42:21 2004
+++ kern_syscalls2.c Mon Sep 20 14:18:45 2004
@@ -58,6 +58,16 @@
syscall_register(int *offset, struct sysent *new_sysent,
struct sysent *old_sysent)
{
+#ifndef __ia64__
+ if (new_sysent->sy_narg < 0 || new_sysent->sy_narg > MAX_SYSCALL_ARGS)
+ {
+ printf("Invalid sy_narg for syscall: boundary is [0 - %d]\n",
+ MAX_SYSCALL_ARGS);
+ return EINVAL;
+ }
+#endif
+
+
if (*offset == NO_SYSCALL) {
int i;
The other architectures patches has similar body.
I hope you will commit it.
rookie
More information about the freebsd-hackers
mailing list