HomeFreeBSD
Diffusion FreeBSD src repository - subversion rS315155

Ktracing kevent(2) calls with unusual arguments might leads to an
rS315155
Actions

Description

Ktracing kevent(2) calls with unusual arguments might leads to an
overly large allocation requests.

When ktrace-ing io, sys_kevent() allocates memory to copy the
requested changes and reported events. Allocations are sized by the
incoming syscall lengths arguments, which are user-controlled, and
might cause overflow in calculations or too large allocations.

Since io trace chunks are limited by ktr_geniosize, there is no sense
it even trying to satisfy unbounded allocations. Export ktr_geniosize
and clamp the buffers sizes in advance.

PR: 217435
Reported by: Tim Newsham <tim.newsham@nccgroup.trust>
Sponsored by: The FreeBSD Foundation
MFC after: 1 week

Details

Provenance
kibAuthored on
Parents
rS315154: MFH (r303289): update example section
Branches
Unknown
Tags
Unknown

Changes (3)

PathSize
head/
sys/
kern/
sys/

rS315155

View Options

head/sys/kern/kern_event.c

Loading...
View Options

head/sys/kern/kern_ktrace.c

Loading...
View Options

head/sys/sys/ktrace.h

Loading...