How to validate the variable size memory block in ioctl handler?
Yuri
yuri at rawbw.com
Mon Jan 21 03:55:11 UTC 2013
On 01/20/2013 19:15, mdf at freebsd.org wrote:
> This would be fine for a local patch but it breaks existing (valid)
> uses that have exactly 8191 bytes of data, so it wouldn't be suitable
> for the main FreeBSD repository. Also, in general one wants to have
> limits on syscalls that can force a kernel malloc of any size, as it
> leads to denial of service attacks or crashes by requesting the kernel
> over-allocate memory.
Both problems are easily fixable.
Current len range can be preserved by encoding this case into an 'inout'
parameter of _IOC instead. IOC_VOID is only used when no IOC_IN/IOC_OUT
is set, so all 3 bits would mean _IORWE.
And arbitrarily high parameter size can be explicitly limited in
sys_generic.c to IOCPARM_MAX.
Yuri
More information about the freebsd-hackers
mailing list