Date: Sat, 18 Sep 2004 15:34:11 +0200 From: gerarra@tin.it To: freebsd-hackers@freebsd.org Subject: FreeBSD Kernel buffer overflow Message-ID: <4146316C0000A4AF@ims3a.cp.tin.it>
next in thread | raw e-mail | index | archive | help
Here i report a patch different from Giorgos' one. The approch is complet=
ely
different: working on syscall_register() function in kern/kern_syscalls.c=
file.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
> cat kern_syscalls.diff
--- kern_syscalls.c Sat Sep 18 14:37:53 2004
+++ kern_syscalls2.c Sat Sep 18 14:37:53 2004
@@ -73,6 +73,11 @@
sysent[*offset].sy_call !=3D (sy_call_t *=
)lkmressys)
return EEXIST;
+#if (__i386__) && (INVARIANTS)
+ KASSERT(new_sysent->nargs >=3D 0 && new_sysent->nargs <=3D i386_S=
YS_ARGS,
+ "invalid number of syscalls");
+#endif
+
*old_sysent =3D sysent[*offset];
sysent[*offset] =3D *new_sysent;
return 0;
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
> cat trap.diff
--- trap.c Sat Sep 18 14:38:00 2004
+++ trap2.c Sat Sep 18 14:38:00 2004
@@ -902,7 +902,7 @@
u_int sticks;
int error;
int narg;
- int args[8];
+ int args[i386_SYS_ARGS];
u_int code;
/*
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
> cat cdefs.diff
--- cdefs.h Sat Sep 18 14:37:38 2004
+++ cdefs2.h Sat Sep 18 14:37:38 2004
@@ -467,4 +467,6 @@
#endif
#endif
+#define i386_SYS_ARGS 8
+
#endif /* !_SYS_CDEFS_H_ */
The main improvement is that it doesn't affect handler performance (even
in INVARIANTS compiled kernels) and check is done once. It could be enoug=
h
clear. You can download tgz in http://www.gufi.org/~rookie/args-diff.tar.=
gz
goodbye,
rookie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4146316C0000A4AF>