From: Mark Kettenis <mark.kettenis@xs4all.nl>
Subject: Re: update on pinsyscalls(2)
To: "Theo de Raadt" <deraadt@openbsd.org>
Cc: tech@cvs.openbsd.org
Date: Mon, 15 Jan 2024 16:58:00 +0100

> From: "Theo de Raadt" <deraadt@openbsd.org>
> Date: Sun, 14 Jan 2024 18:47:54 -0700
> 
> Mark Kettenis <mark.kettenis@xs4all.nl> wrote:
> 
> > > +	npins = SCARG(uap, npins);
> > > +	if (npins < 1 || npins > SYS_MAXSYSCALL * 2)
> > > +		return (E2BIG);
> > 
> > Since pinsyscalls(2) now takes an array of offsets indexed by
> > syscall#, the above check should be
> > 
> >     if (npins < 1 || npins > SYS_MAXSYSCALL)
> 
> But let's say a new system call is added at the end of the array.  This
> would create a mandatory requirement for kernel before libc.so (or
> ld.so, depending on what the system call is).  Otherwise pinsyscalls(2)
> would fail pretty hard.  Right now the return value is ignored, but once
> this settles in, we want to take stronger action when pinsyscalls(2)
> returns an error.
> 
> Generally we reuse old slots, but who knows...
> 
> How about SYS_MAXSYSCALL + some slop value, maybe 2 or 5?

That's a bit weird.  You're effectively saying we don't really care
about the limit.  Other than limiting the size of the copyin.  So we
might as well just do something like:

        if (npins < 1)
                return EINVAL;
	npins = MIN(npins, SYS_MAXSYSCALL);