Re: kern_pledge: sysctl abort printing

Fri, 02 Jun 2017 14:14:04 -0700 

> >From my /var/log/messages:
> 
> Jun  1 22:10:25 idefix /bsd: dig(9111): sysctl 2: 1 13 16 0 -32064 32639
> Jun  1 22:10:25 idefix /bsd: dig(9111): syscall 202 ""
> Jun  1 22:10:57 idefix /bsd: dig(56469): sysctl 2: 1 13 0 0 -129840 32639
> Jun  1 22:10:57 idefix /bsd: dig(56469): syscall 202 ""
> Jun  1 22:14:03 idefix /bsd: dig(67838): sysctl 2: 1 13 999298946 0 6777188 0
> Jun  1 22:14:04 idefix /bsd: dig(67838): syscall 202 ""
> Jun  1 22:16:53 idefix /bsd: dig(10121): sysctl 2: 1 13 991450427 0 6777188 0
> Jun  1 22:16:54 idefix /bsd: dig(10121): syscall 202 ""
> 
> We're printing 5 mibs while the miblen is only 2, hence we see garbage.
> 
> Wouldn't it be better to print only this:
> 
> Jun  2 22:53:16 idefix /bsd: a.out(37619): sysctl 2: 1 13
> Jun  2 22:53:16 idefix /bsd: a.out(37619): syscall 202 ""
> 
> We could tweak it to stop after printing 5 mibs, of course. Printing the
> miblen could also be omitted, since it is kind of redundant now.
> 
> Index: kern_pledge.c
> ===================================================================
> RCS file: /var/cvs/src/sys/kern/kern_pledge.c,v
> retrieving revision 1.210
> diff -u -p -r1.210 kern_pledge.c
> --- kern_pledge.c     30 May 2017 15:04:45 -0000      1.210
> +++ kern_pledge.c     2 Jun 2017 20:42:21 -0000
> @@ -891,6 +891,8 @@ pledge_sendfd(struct proc *p, struct fil
>  int
>  pledge_sysctl(struct proc *p, int miblen, int *mib, void *new)
>  {
> +     int     i;
> +
>       if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
>               return (0);
>  
> @@ -1053,9 +1055,11 @@ pledge_sysctl(struct proc *p, int miblen
>           mib[0] == CTL_VM && mib[1] == VM_LOADAVG)
>               return (0);
>  
> -     printf("%s(%d): sysctl %d: %d %d %d %d %d %d\n",
> -         p->p_p->ps_comm, p->p_p->ps_pid, miblen, mib[0], mib[1],
> -         mib[2], mib[3], mib[4], mib[5]);
> +     printf("%s(%d): sysctl %d:", p->p_p->ps_comm, p->p_p->ps_pid, miblen);
> +     for (i = 0; i < miblen; i++)
> +             printf(" %d", mib[i]);
> +     printf("\n");
> +
>       return pledge_fail(p, EINVAL, 0);
>  }

Looks good to me.

I verified that sys_sysctl does a reasonable bounds-check of miblen
(aka SCARG(uap, namelen)) before calling pledge_sysctl().

Reply via email to