From owner-freebsd-security  Sat May  8 20:26:17 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id 14D1A156B5
	for <security@FreeBSD.ORG>; Sat,  8 May 1999 20:26:15 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id UAA09528;
	Sat, 8 May 1999 20:26:09 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id UAA14975;
	Sat, 8 May 1999 20:26:07 -0700 (PDT)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id UAA19750;
	Sat, 8 May 1999 20:26:06 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199905090326.UAA19750@salsa.gv.tsc.tdk.com>
Date: Sat, 8 May 1999 20:26:05 -0700
In-Reply-To: Wes Peters <wes@softweyr.com>
       "Re: KKIS.05051999.003b" (May  7, 11:34pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Wes Peters <wes@softweyr.com>, Don Lewis <Don.Lewis@tsc.tdk.com>
Subject: Re: KKIS.05051999.003b
Cc: Kevin Day <toasty@HOME.DRAGONDATA.COM>, security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On May 7, 11:34pm, Wes Peters wrote:
} Subject: Re: KKIS.05051999.003b
} Don Lewis wrote:
} > 
} > On May 6,  2:10pm, Kevin Day wrote:
} > }
} > } Here's my testing so far:
} > }
} > } 2.2.2 - Vulnerable
} > } 2.2.6 - Vulnerable
} > } 2.2.8 - Vulnerable
} > } 3.1-RELEASE - Ran 15 minutes, no crash.
} 
} Let it keep running.  It will (apparently) eventually exhaust all 
} available file handles in an unrecoverable manner.  3.1-R is better, 
} but not invulnerable.

I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1
panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing
something.  The exploit code should not result in any calls to unp_gc(),
because the client receives all the descriptors that are sent by the server.
This should result in unp_rights being 0 except when the descriptor is
in flight.  If unp_rights is 0 when the socket is closed, unp_gc() should not
be called.  unp_gc() should only be called if the client closes socket before
receiving the descriptor.

Maybe a third process occasionally get scheduled while the exploit code
has the descriptor in flight and causes unp_gc() to get executed.  If so,
then the exploit shouldn't cause a problem in single user mode.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message