Date: Sun, 19 Sep 2004 23:05:14 +0200 From: gerarra@tin.it To: FreeBSD-hackers@freebsd.org Subject: Re: FreeBSD Kernel buffer overflow Message-ID: <4146316C0000B2DB@ims3a.cp.tin.it> In-Reply-To: <20040919165011.GA2907@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
>Don,
>
>This sounds excellent. Can an src-committer verify that the following
is
>ok and commit it along with the manpage diff I posted earlier to HEAD?
>
>The hard-wired number 8 in there seems like something that could probabl=
y
>be improved a lot, but after looking for a short while I couldn't find
a
>good way of finding out from the arguments of syscall_register() some wa=
y
>to calculate it. Of course, I'm far from an experienced kernel hacker
and
>I'm probably missing something. Feel free to correct the following diff=
>or
>even replace it entirely.
Maybe you can get a look at this approach:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
$arch/include/md_var.h:
> cat md_var.diff
--- md_var2.h Sun Sep 19 22:43:56 2004
+++ md_var.h Sun Sep 19 22:46:23 2004
@@ -41,6 +41,12 @@
extern int (*copyin_vector)(const void *udaddr, void *kaddr, size_t
len);
extern int (*copyout_vector)(const void *kaddr, void *udaddr, size_t=
len);
+/*
+ * Arguments number syscalls definition
+ */
+
+#define MAGIC_SYSCALL_ARGS 8
+
extern long Maxmem;
extern u_int basemem; /* PA of original top of base memory */
extern int busdma_swi_pending;
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
kern/kern_syscall.c:
> cat kern_syscall.diff
--- kern_syscalls.c Sat Sep 18 13:42:21 2004
+++ kern_syscalls2.c Sun Sep 19 23:00:44 2004
@@ -27,6 +27,8 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: src/sys/kern/kern_syscalls.c,v 1.11 2004/07/15 08:26=
:05
phk Exp $");
+#include <machine/md_var.h>
+
#include <sys/param.h>
#include <sys/sysproto.h>
#include <sys/sysent.h>
@@ -58,6 +60,9 @@
syscall_register(int *offset, struct sysent *new_sysent,
struct sysent *old_sysent)
{
+ if (new_sysent->sy_narg < 0 || new_sysent->sy_narg > MAGIC_SYSCAL=
L_ARGS)
+ return EINVAL;
+
if (*offset =3D=3D NO_SYSCALL) {
int i;
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
i386/i386/trap.c
--- trap.c Sat Sep 18 14:30:19 2004
+++ trap2.c Sun Sep 19 22:47:33 2004
@@ -902,7 +902,7 @@
u_int sticks;
int error;
int narg;
- int args[8];
+ int args[MAGIC_SYSCALL_ARGS];
u_int code;
/*
The idea is that for every architecture MAGIC_SYSCALL_ARGS can be defined=
in md_var.h (it's alredy included in handlers sources). Here just i386 ex=
ample
is done to show approach. It could be more flexible than a static approac=
h.
I hope you will enjoy it.
rookie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4146316C0000B2DB>