From owner-freebsd-hackers@FreeBSD.ORG  Sat Sep 18 09:19:06 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1470216A4CE; Sat, 18 Sep 2004 09:19:06 +0000 (GMT)
Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id AF7D743D41; Sat, 18 Sep 2004 09:19:05 +0000 (GMT)
	(envelope-from truckman@FreeBSD.org)
Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2])
	by gw.catspoiler.org (8.13.1/8.13.1) with ESMTP id i8I9ItWl001012;
	Sat, 18 Sep 2004 02:18:59 -0700 (PDT)
	(envelope-from truckman@FreeBSD.org)
Message-Id: <200409180918.i8I9ItWl001012@gw.catspoiler.org>
Date: Sat, 18 Sep 2004 02:18:55 -0700 (PDT)
From: Don Lewis <truckman@FreeBSD.org>
To: pjd@FreeBSD.org
In-Reply-To: <20040918090227.GX30151@darkness.comp.waw.pl>
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
cc: freebsd-hackers@FreeBSD.org
cc: gerarra@tin.it
cc: keramida@FreeBSD.org
Subject: Re: FreeBSD Kernel buffer overflow
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Sep 2004 09:19:06 -0000

On 18 Sep, Pawel Jakub Dawidek wrote:
> On Fri, Sep 17, 2004 at 12:37:12PM +0300, Giorgos Keramidas wrote:
> +> % +#ifdef INVARIANTS
> +> % +       KASSERT(0 <= narg && narg <= 8, ("invalid number of syscall args"));
> +> % +#endif
> 
> Maybe:
> KASSERT(0 <= narg && narg <= sizeof(args) / sizeof(args[0]),
>     ("invalid number of syscall args"));
> 
> So if we decide to increase/decrease it someday, we don't have to remember
> about this KASSERT().

What keeps the attacker from installing two syscalls, the first of which
pokes NOPs over the KASSERT code, and the second of which accepts too
many arguments?

If you think we really need this bit of extra security, why not just
prevent the syscall with too many arguments from being registered by
syscall_register()?  At least that keeps the check out of the most
frequently executed path.