On 02/09/07, Robert Watson <[EMAIL PROTECTED]> wrote: > rwatson 2007-09-02 09:59:33 UTC > > FreeBSD src repository > > Modified files: > sys/kern kern_sysctl.c > Log: > In userland_sysctl(), call useracc() with the actual newlen value to be > used, rather than the one passed via 'req', which may not reflect a > rewrite. This call to useracc() is redundant to validation performed by > later copyin()/copyout() calls, so there isn't a security issue here,
Yes, the above is correct. E.g. down the line in sysctl_handle_string(9), the SYSCTL_IN() macro is used to call sysctl_new_user(9), which uses copyin(9). > but this could technically lead to excessive validation of addresses if > the length in newlen is shorter than req.newlen. No, this is actually not the case -- 'newlen' can never be less than 'req.newlen', because both are of 'size_t' type, and the 'req' structure is bzero'ed at the beginning of userland_sysctl(). Hence, before this fix, useracc(9) in question was called with a zero as its 'len' parameter. I think it is also noteworthy to mention that this a 12-year-old bug. It was introduced in 1995 (kern_sysctl.c#rev1.38), although this line was touched slightly in 1999 (kern_sysctl.c#rev1.91). Best regards, Constantine. > > Approved by: re (kensmith) > Reviewed by: jhb > Submitted by: Constantine A. Murenin <[EMAIL PROTECTED]> > Sponsored by: Google Summer of Code 2007 > > Revision Changes Path > 1.177 +1 -1 src/sys/kern/kern_sysctl.c _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "[EMAIL PROTECTED]"
