Fix an exploitable integer overflow found by Chris Evans of Google Security.

This commit is contained in:
christos 2006-10-06 16:17:11 +00:00
parent 34a6a097c3
commit 7af45af282
2 changed files with 17 additions and 5 deletions

View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_systrace.c,v 1.58 2006/09/02 06:35:49 christos Exp $ */
/* $NetBSD: kern_systrace.c,v 1.59 2006/10/06 16:17:11 christos Exp $ */
/*
* Copyright 2002, 2003 Niels Provos <provos@citi.umich.edu>
@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_systrace.c,v 1.58 2006/09/02 06:35:49 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_systrace.c,v 1.59 2006/10/06 16:17:11 christos Exp $");
#include "opt_systrace.h"
@ -1370,9 +1370,16 @@ systrace_preprepl(struct str_process *strp, struct systrace_replace *repl)
return (EINVAL);
for (i = 0, len = 0; i < repl->strr_nrepl; i++) {
len += repl->strr_offlen[i];
if (repl->strr_argind[i] < 0 ||
repl->strr_argind[i] >= SYSTR_MAXARGS)
return (EINVAL);
if (repl->strr_offlen[i] == 0)
continue;
len += repl->strr_offlen[i];
if (repl->strr_offlen[i] > SYSTR_MAXREPLEN ||
repl->strr_off[i] > SYSTR_MAXREPLEN ||
len > SYSTR_MAXREPLEN)
return (EINVAL);
if (repl->strr_offlen[i] + repl->strr_off[i] > len)
return (EINVAL);
}
@ -1382,7 +1389,7 @@ systrace_preprepl(struct str_process *strp, struct systrace_replace *repl)
return (EINVAL);
/* Check against a maximum length */
if (repl->strr_len > 2048)
if (repl->strr_len > SYSTR_MAXREPLEN)
return (EINVAL);
strp->replace = (struct systrace_replace *)
@ -1423,6 +1430,10 @@ systrace_replace(struct str_process *strp, size_t argsize, register_t args[])
sg = stackgap_init(p->p_emul);
ubase = stackgap_alloc(&sg, repl->strr_len);
#endif
if (ubase == NULL) {
ret = EINVAL;
goto out;
}
kbase = repl->strr_base;
for (i = 0; i < maxarg && i < repl->strr_nrepl; i++) {

View File

@ -1,4 +1,4 @@
/* $NetBSD: systrace.h,v 1.20 2006/07/19 21:11:39 ad Exp $ */
/* $NetBSD: systrace.h,v 1.21 2006/10/06 16:17:11 christos Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -55,6 +55,7 @@ struct str_msg_execve {
#define SYSTR_MAX_POLICIES 64
#define SYSTR_MAXARGS 64
#define SYSTR_MAXFNAME 8
#define SYSTR_MAXREPLEN 2048
struct str_msg_ask {
int32_t code;