Date: Sat, 18 Sep 2004 15:34:11 +0200 From: gerarra@tin.it To: freebsd-hackers@freebsd.org Subject: FreeBSD Kernel buffer overflow Message-ID: <4146316C0000A4AF@ims3a.cp.tin.it>
next in thread | raw e-mail | index | archive | help
Here i report a patch different from Giorgos' one. The approch is completely
different: working on syscall_register() function in kern/kern_syscalls.c
file.
==============================
> cat kern_syscalls.diff
--- kern_syscalls.c Sat Sep 18 14:37:53 2004
+++ kern_syscalls2.c Sat Sep 18 14:37:53 2004
@@ -73,6 +73,11 @@
sysent[*offset].sy_call != (sy_call_t *)lkmressys)
return EEXIST;
+#if (__i386__) && (INVARIANTS)
+ KASSERT(new_sysent->nargs >= 0 && new_sysent->nargs <= i386_SYS_ARGS,
+ "invalid number of syscalls");
+#endif
+
*old_sysent = sysent[*offset];
sysent[*offset] = *new_sysent;
return 0;
==============================
> cat trap.diff
--- trap.c Sat Sep 18 14:38:00 2004
+++ trap2.c Sat Sep 18 14:38:00 2004
@@ -902,7 +902,7 @@
u_int sticks;
int error;
int narg;
- int args[8];
+ int args[i386_SYS_ARGS];
u_int code;
/*
==============================
> cat cdefs.diff
--- cdefs.h Sat Sep 18 14:37:38 2004
+++ cdefs2.h Sat Sep 18 14:37:38 2004
@@ -467,4 +467,6 @@
#endif
#endif
+#define i386_SYS_ARGS 8
+
#endif /* !_SYS_CDEFS_H_ */
The main improvement is that it doesn't affect handler performance (even
in INVARIANTS compiled kernels) and check is done once. It could be enough
clear. You can download tgz in http://www.gufi.org/~rookie/args-diff.tar.gz
goodbye,
rookie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4146316C0000A4AF>