From owner-freebsd-hackers@FreeBSD.ORG Fri Sep 17 11:24:16 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DB2F16A4CE for ; Fri, 17 Sep 2004 11:24:16 +0000 (GMT) Received: from pimout3-ext.prodigy.net (pimout3-ext.prodigy.net [207.115.63.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BE4D43D3F for ; Fri, 17 Sep 2004 11:24:15 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (adsl-64-170-123-106.dsl.snfc21.pacbell.net [64.170.123.106])i8HBOCNm241798; Fri, 17 Sep 2004 07:24:13 -0400 Message-ID: <414AC95C.9000900@elischer.org> Date: Fri, 17 Sep 2004 04:24:12 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4b) Gecko/20030524 X-Accept-Language: en, hu MIME-Version: 1.0 To: gerarra@tin.it References: <4146316C000082CE@ims3a.cp.tin.it> In-Reply-To: <4146316C000082CE@ims3a.cp.tin.it> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: hackers Subject: Re: FreeBSD Kernel buffer overflow X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 11:24:16 -0000 gerarra@tin.it wrote: > >>Some architectures are limited in the numer of arguments that they allow >>to be >>passed as direct values in a syscall. It is considerred pretty bad style >>to >>use too many. If one wants to pass more data then it is preferable to have >>a structure and pass a POINTER to it. >> > > > I wonder why you repeat obvious things... Because you are not listenning maybe? (as just about everyone on IRC has commented, so it's not just me. I'm just he guy who decided to answer you..). > > >>Suggesting that the linit of 8 be upped however is a lot different from > > coming > >>out of nowhere claining that there is a big problem with buffer over-runs >>(which are interpretted as security flaws) >> > > > You don't seem so practice in security. Let me say one thing. A lot of exploits > are done for parts initially "not exploitable". The fact you and me haven't > found a way to do that doesn't mean it can't be done... LISTEN! YOU CAN NOT CHANGE THE NUMBER OF ARGUMENTS ON A SYSCALL UNLESS YOU ARE ROOT ALREADY! OK? if you can then there are much more interesting targets to go after than that.. > > >>Nowhere did you suggest that your aim is to increase the number >>of arguments acceptable to a syscall but rather you presented the problem >>as >>a consistency problem. >> > > > Maybe you need to read again my first advisory. And maybe the whole topic... You did you give an advisory. you gave a misinformed misleading email about something that is not a problem. > > >>As a matter of style ond consistency the way that I perceive the developers >>as >>taking in our discussions is that 8 is far more than enough and that >>a debug failure for > 8 would be just fine. >> > > > IMHO is not a good patch, but if you want... > > >>If you can show your patch and it is of a high quality then it will be > > a > >>lot >>more useful to your cause than making a lot of misleading and misdirected >>claims on the mailing lists, and wasting everyone's time for a problem > > that > >>really doesn't exist.. > > > The problem exists. Even a good "You can't add more than 8 arguments to > your syscall (without wrapping in struct)" in some handbook could be useful. > I don't thing I'm wasting time of everyone, that's just a bug report and > the fact *you* thing is not a problem doesn't mean it doesn't exist. Asking for this fact to be documented somewhere is a far cry from your initial "advisory. What you SHOULD have done is as follows. "In a private project I am doing I need to add a syscall with more than 8 arguments. In order to allow me to do this I needed to add the following patch. .. [shows patch].. Since this patch is of no real cost and adds functionality, could it please be incorporated. I have submitted it in pr kern/xyzzy" That would have gotten you a lot more positive response than a false advisory. (though you would have probably been told by most people to use copyin/copyout and a structure because the syscall interface is one of the parts of the system that is under current scrutiny for improvement and optimisation and people aretupid a likely to consider mor ethan 8 arguments as not a necessity if it slows things down at all. I've been doing this for 30 years and on BSD for 15 years so I DO know what I am talking about when I say that what you pointed out is understood as NOT A SECURITY ISSUE by everyone concerned. It's like complaining that the seats on a jumbo cannot withstand 800C temperature... if you have 800C on the seats you have bigger problems to worry about. so if you decide to rephrse what you want we'll listen to you. if you want to go around making false bug reports then that's ok too but we won't listen.. it's your choice. > > >