| 12-year-old bug in FreeBSD's kern_sysctl.c |
[Пн, 2007-09-03T15:22] |
The other week, I found a 12-year-old bug in FreeBSD's /sys/kern/kern_sysctl.c.
The bug is in the incorrect len parameter that is being passed to useracc(9).
I originally thought that it might have some security implications, but in reality, subsequent copyin(9) in sysctl_new_user() is supposed to take care of any boundary problems, so in the end, I'm not sure why this useracc(9) call is even there in the first place, buggy or not. ;)
Although fixing this bug so far doesn't seem to be of any real value to anyone -- tell me if it is to you -- it is nonetheless interesting to find bugs that were introduced so many years ago. ;)
Thanks to Robert Watson for taking his time to commit my patch and for the discussion. Here are some links to the mailing list regarding my fix being committed, read the message in the second link for my complete description of what the bug is about.
http://lists.freebsd.org/pipermail/cvs-src/2007-September/081597.html -- my patch is committed
http://lists.freebsd.org/pipermail/cvs-src/2007-September/081603.html -- my detailed comments
And here is the history of this bug:
http://cvsweb.freebsd.org/src/sys/kern/kern_sysctl.c#rev1.38 -- the bug is introduced in 1995
http://cvsweb.freebsd.org/src/sys/kern/kern_sysctl.c#rev1.91 -- the line with the bug is slightly altered
http://cvsweb.freebsd.org/src/sys/kern/kern_sysctl.c#rev1.177 -- the bug is fixed with my patch
I've also emailed Matt Dillon, and he committed my patch to DragonFly BSD, too:
http://www.dragonflybsd.org/cvsweb/src/sys/kern/kern_sysctl.c#rev1.28 -- my patch in dragonfly
P.S. If you're actually looking for a useful but slightly younger bug that I've fixed, then look no further than in my “10-year-old pointer-arithmetic bug in make(1) is now gone…” entry. ;)
Best regards,
Constantine. |
|
|
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
cnst