From owner-cvs-all@FreeBSD.ORG Mon Sep 3 19:07:07 2007 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 470DF16A468 for ; Mon, 3 Sep 2007 19:07:07 +0000 (UTC) (envelope-from mureninc@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.237]) by mx1.freebsd.org (Postfix) with ESMTP id A368D13C48A for ; Mon, 3 Sep 2007 19:07:06 +0000 (UTC) (envelope-from mureninc@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so615198wra for ; Mon, 03 Sep 2007 12:07:05 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=M3GNJeHfYSJoqhM92ncHC88sbDNxMRpxUI19k7vN6g54EnLiH+z+RvJr5yQQ5kblBdo0ui1vLPdJ/YughfHEfh+NNOt4Rw3uRYATAcFrJulvD/GhCPYk9/5EpwNOPwL298es36pPWgOhA9WA+s60AZDa5vCyYKa+OoItK+B1+6s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=JIb67Enp8FijhQ6R0zn9G1Y+f4cK3cE4o8w7p0cdTR9bKLVjI7MStR868DnjiB2qArOfNLjpOemF4EYonEgMPXLgBfeNuUrJ9T0r0vOwJYos3FHE1B3Yt1rMXLVvVB/D3S1dFQpGBXHr4nnjEIxFTmdnKowf0yA6KHnMn8+rzQ8= Received: by 10.90.99.20 with SMTP id w20mr4321013agb.1188846425785; Mon, 03 Sep 2007 12:07:05 -0700 (PDT) Received: by 10.90.78.10 with HTTP; Mon, 3 Sep 2007 12:07:05 -0700 (PDT) Message-ID: Date: Mon, 3 Sep 2007 15:07:05 -0400 From: "Constantine A. Murenin" Sender: mureninc@gmail.com To: "Robert Watson" In-Reply-To: <200709020959.l829xYGo077991@repoman.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200709020959.l829xYGo077991@repoman.freebsd.org> X-Google-Sender-Auth: edcea31696fe2b1d Cc: cvs-src@freebsd.org, Shteryana Shopova , src-committers@freebsd.org, cvs-all@freebsd.org, "Constantine A. Murenin" Subject: Re: cvs commit: src/sys/kern kern_sysctl.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2007 19:07:07 -0000 On 02/09/07, Robert Watson wrote: > rwatson 2007-09-02 09:59:33 UTC > > FreeBSD src repository > > Modified files: > sys/kern kern_sysctl.c > Log: > In userland_sysctl(), call useracc() with the actual newlen value to be > used, rather than the one passed via 'req', which may not reflect a > rewrite. This call to useracc() is redundant to validation performed by > later copyin()/copyout() calls, so there isn't a security issue here, Yes, the above is correct. E.g. down the line in sysctl_handle_string(9), the SYSCTL_IN() macro is used to call sysctl_new_user(9), which uses copyin(9). > but this could technically lead to excessive validation of addresses if > the length in newlen is shorter than req.newlen. No, this is actually not the case -- 'newlen' can never be less than 'req.newlen', because both are of 'size_t' type, and the 'req' structure is bzero'ed at the beginning of userland_sysctl(). Hence, before this fix, useracc(9) in question was called with a zero as its 'len' parameter. I think it is also noteworthy to mention that this a 12-year-old bug. It was introduced in 1995 (kern_sysctl.c#rev1.38), although this line was touched slightly in 1999 (kern_sysctl.c#rev1.91). Best regards, Constantine. > > Approved by: re (kensmith) > Reviewed by: jhb > Submitted by: Constantine A. Murenin > Sponsored by: Google Summer of Code 2007 > > Revision Changes Path > 1.177 +1 -1 src/sys/kern/kern_sysctl.c