[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: Re: How to validate the variable size memory block in ioctl handler?
From: Yuri <yuri () rawbw ! com>
Date: 2013-01-21 3:55:09
Message-ID: 50FCBC1D.4070905 () rawbw ! com
[Download RAW message or body]
On 01/20/2013 19:15, mdf@freebsd.org wrote:
> This would be fine for a local patch but it breaks existing (valid)
> uses that have exactly 8191 bytes of data, so it wouldn't be suitable
> for the main FreeBSD repository. Also, in general one wants to have
> limits on syscalls that can force a kernel malloc of any size, as it
> leads to denial of service attacks or crashes by requesting the kernel
> over-allocate memory.
Both problems are easily fixable.
Current len range can be preserved by encoding this case into an 'inout'
parameter of _IOC instead. IOC_VOID is only used when no IOC_IN/IOC_OUT
is set, so all 3 bits would mean _IORWE.
And arbitrarily high parameter size can be explicitly limited in
sys_generic.c to IOCPARM_MAX.
Yuri
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic