cvs commit: src/sys/kern kern_sysctl.c
Constantine A. Murenin
cnst at FreeBSD.org
Mon Sep 3 12:07:07 PDT 2007
On 02/09/07, Robert Watson <rwatson at freebsd.org> wrote:
> rwatson 2007-09-02 09:59:33 UTC
>
> FreeBSD src repository
>
> Modified files:
> sys/kern kern_sysctl.c
> Log:
> In userland_sysctl(), call useracc() with the actual newlen value to be
> used, rather than the one passed via 'req', which may not reflect a
> rewrite. This call to useracc() is redundant to validation performed by
> later copyin()/copyout() calls, so there isn't a security issue here,
Yes, the above is correct. E.g. down the line in
sysctl_handle_string(9), the SYSCTL_IN() macro is used to call
sysctl_new_user(9), which uses copyin(9).
> but this could technically lead to excessive validation of addresses if
> the length in newlen is shorter than req.newlen.
No, this is actually not the case -- 'newlen' can never be less than
'req.newlen', because both are of 'size_t' type, and the 'req'
structure is bzero'ed at the beginning of userland_sysctl(). Hence,
before this fix, useracc(9) in question was called with a zero as its
'len' parameter.
I think it is also noteworthy to mention that this a 12-year-old bug.
It was introduced in 1995 (kern_sysctl.c#rev1.38), although this line
was touched slightly in 1999 (kern_sysctl.c#rev1.91).
Best regards,
Constantine.
>
> Approved by: re (kensmith)
> Reviewed by: jhb
> Submitted by: Constantine A. Murenin <cnst+freebsd at bugmail.mojo.ru>
> Sponsored by: Google Summer of Code 2007
>
> Revision Changes Path
> 1.177 +1 -1 src/sys/kern/kern_sysctl.c
More information about the cvs-src
mailing list