From owner-freebsd-hackers@FreeBSD.ORG Sat Sep 18 13:34:13 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA1E616A4CE for ; Sat, 18 Sep 2004 13:34:13 +0000 (GMT) Received: from vsmtp2.tin.it (vsmtp2alice.tin.it [212.216.176.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A03A43D48 for ; Sat, 18 Sep 2004 13:34:13 +0000 (GMT) (envelope-from gerarra@tin.it) Received: from ims3a.cp.tin.it (192.168.70.103) by vsmtp2.tin.it (7.0.027) id 414B13EE0004E624 for freebsd-hackers@freebsd.org; Sat, 18 Sep 2004 15:34:13 +0200 Received: from [192.168.70.225] by ims3a.cp.tin.it with HTTP; Sat, 18 Sep 2004 15:34:11 +0200 Date: Sat, 18 Sep 2004 15:34:11 +0200 Message-ID: <4146316C0000A4AF@ims3a.cp.tin.it> From: gerarra@tin.it To: freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable Subject: FreeBSD Kernel buffer overflow X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 13:34:13 -0000 Here i report a patch different from Giorgos' one. The approch is complet= ely different: working on syscall_register() function in kern/kern_syscalls.c= file. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > cat kern_syscalls.diff --- kern_syscalls.c Sat Sep 18 14:37:53 2004 +++ kern_syscalls2.c Sat Sep 18 14:37:53 2004 @@ -73,6 +73,11 @@ sysent[*offset].sy_call !=3D (sy_call_t *= )lkmressys) return EEXIST; +#if (__i386__) && (INVARIANTS) + KASSERT(new_sysent->nargs >=3D 0 && new_sysent->nargs <=3D i386_S= YS_ARGS, + "invalid number of syscalls"); +#endif + *old_sysent =3D sysent[*offset]; sysent[*offset] =3D *new_sysent; return 0; =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > cat trap.diff --- trap.c Sat Sep 18 14:38:00 2004 +++ trap2.c Sat Sep 18 14:38:00 2004 @@ -902,7 +902,7 @@ u_int sticks; int error; int narg; - int args[8]; + int args[i386_SYS_ARGS]; u_int code; /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > cat cdefs.diff --- cdefs.h Sat Sep 18 14:37:38 2004 +++ cdefs2.h Sat Sep 18 14:37:38 2004 @@ -467,4 +467,6 @@ #endif #endif +#define i386_SYS_ARGS 8 + #endif /* !_SYS_CDEFS_H_ */ The main improvement is that it doesn't affect handler performance (even in INVARIANTS compiled kernels) and check is done once. It could be enoug= h clear. You can download tgz in http://www.gufi.org/~rookie/args-diff.tar.= gz goodbye, rookie