From owner-freebsd-hackers@FreeBSD.ORG  Wed Sep 22 19:08:03 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1E94E16A4CE; Wed, 22 Sep 2004 19:08:03 +0000 (GMT)
Received: from vsmtp3.tin.it (vsmtp3alice.tin.it [212.216.176.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4ECAF43D3F; Wed, 22 Sep 2004 19:08:02 +0000 (GMT)
	(envelope-from gerarra@tin.it)
Received: from ims3a.cp.tin.it (192.168.70.103) by vsmtp3.tin.it (7.0.027)
        id 414B175C002219AA; Wed, 22 Sep 2004 21:08:01 +0200
Received: from [192.168.70.229] by ims3a.cp.tin.it with HTTP;
	Wed, 22 Sep 2004 21:08:00 +0200
Date: Wed, 22 Sep 2004 21:08:00 +0200
Message-ID: <4146316C00012CA0@ims3a.cp.tin.it>
From: gerarra@tin.it
To: freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: quoted-printable
cc: truckman@freebsd.org
Subject: freebsd kernel buffer overflow patch
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2004 19:08:03 -0000

Hi,
I've seen a potential problem in my patch; SYF_MPSAFE flag for MP safe sy=
scalls
is not managed; maybe something like that is better:

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
kern/kern_syscalls.c:

--- kern_syscalls.c     Sat Sep 18 13:42:21 2004
+++ kern_syscalls2.c    Wed Sep 22 20:25:22 2004
@@ -35,6 +35,7 @@
 #include <sys/mutex.h>
 #include <sys/sx.h>
 #include <sys/module.h>
+#include <systm.h>

 /*
  * Acts like "nosys" but can be identified in sysent for dynamic call
@@ -58,6 +59,17 @@
 syscall_register(int *offset, struct sysent *new_sysent,
                 struct sysent *old_sysent)
 {
+#ifdef MAX_SYSCALL_ARGS
+       if (    (new_sysent->sy_narg & ~SYF_MPSAFE) < 0 ||
+               (new_sysent->sy_narg & ~SYF_MPSAFE) > MAX_SYSCALL_ARGS)
+       {
+               printf("Invalid sy_narg for syscall: boundary is [0 - %d]=
\n",
+                       MAX_SYSCALL_ARGS);
+               return EINVAL;
+       }
+#endif
+
+
        if (*offset =3D=3D NO_SYSCALL) {
                int i;

complete diffs tree to http://www.gufi.org/~rookie/args-diff.tar.gz

rookie