From owner-freebsd-hackers@FreeBSD.ORG Sun Sep 19 21:05:17 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0570D16A545 for ; Sun, 19 Sep 2004 21:05:17 +0000 (GMT) Received: from vsmtp14.tin.it (vsmtp14.tin.it [212.216.176.118]) by mx1.FreeBSD.org (Postfix) with ESMTP id 88AB843D55 for ; Sun, 19 Sep 2004 21:05:16 +0000 (GMT) (envelope-from gerarra@tin.it) Received: from ims3a.cp.tin.it (192.168.70.103) by vsmtp14.tin.it (7.0.027) id 414B1A58000A7170 for FreeBSD-hackers@freebsd.org; Sun, 19 Sep 2004 23:05:16 +0200 Received: from [192.168.70.183] by ims3a.cp.tin.it with HTTP; Sun, 19 Sep 2004 23:05:14 +0200 Date: Sun, 19 Sep 2004 23:05:14 +0200 Message-ID: <4146316C0000B2DB@ims3a.cp.tin.it> In-Reply-To: <20040919165011.GA2907@gothmog.gr> From: gerarra@tin.it To: FreeBSD-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD Kernel buffer overflow X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 21:05:17 -0000 >Don, > >This sounds excellent. Can an src-committer verify that the following is >ok and commit it along with the manpage diff I posted earlier to HEAD? > >The hard-wired number 8 in there seems like something that could probabl= y >be improved a lot, but after looking for a short while I couldn't find a >good way of finding out from the arguments of syscall_register() some wa= y >to calculate it. Of course, I'm far from an experienced kernel hacker and >I'm probably missing something. Feel free to correct the following diff= >or >even replace it entirely. Maybe you can get a look at this approach: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D $arch/include/md_var.h: > cat md_var.diff --- md_var2.h Sun Sep 19 22:43:56 2004 +++ md_var.h Sun Sep 19 22:46:23 2004 @@ -41,6 +41,12 @@ extern int (*copyin_vector)(const void *udaddr, void *kaddr, size_t len); extern int (*copyout_vector)(const void *kaddr, void *udaddr, size_t= len); +/* + * Arguments number syscalls definition + */ + +#define MAGIC_SYSCALL_ARGS 8 + extern long Maxmem; extern u_int basemem; /* PA of original top of base memory */ extern int busdma_swi_pending; =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D kern/kern_syscall.c: > cat kern_syscall.diff --- kern_syscalls.c Sat Sep 18 13:42:21 2004 +++ kern_syscalls2.c Sun Sep 19 23:00:44 2004 @@ -27,6 +27,8 @@ #include __FBSDID("$FreeBSD: src/sys/kern/kern_syscalls.c,v 1.11 2004/07/15 08:26= :05 phk Exp $"); +#include + #include #include #include @@ -58,6 +60,9 @@ syscall_register(int *offset, struct sysent *new_sysent, struct sysent *old_sysent) { + if (new_sysent->sy_narg < 0 || new_sysent->sy_narg > MAGIC_SYSCAL= L_ARGS) + return EINVAL; + if (*offset =3D=3D NO_SYSCALL) { int i; =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D i386/i386/trap.c --- trap.c Sat Sep 18 14:30:19 2004 +++ trap2.c Sun Sep 19 22:47:33 2004 @@ -902,7 +902,7 @@ u_int sticks; int error; int narg; - int args[8]; + int args[MAGIC_SYSCALL_ARGS]; u_int code; /* The idea is that for every architecture MAGIC_SYSCALL_ARGS can be defined= in md_var.h (it's alredy included in handlers sources). Here just i386 ex= ample is done to show approach. It could be more flexible than a static approac= h. I hope you will enjoy it. rookie