From owner-freebsd-security Fri May 7 17:21:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id C87D714EAE for ; Fri, 7 May 1999 17:21:40 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id RAA28401; Fri, 7 May 1999 17:21:30 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id RAA11146; Fri, 7 May 1999 17:21:29 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA16889; Fri, 7 May 1999 17:21:24 -0700 (PDT) From: Don Lewis Message-Id: <199905080021.RAA16889@salsa.gv.tsc.tdk.com> Date: Fri, 7 May 1999 17:21:24 -0700 In-Reply-To: Kevin Day "Re: KKIS.05051999.003b" (May 6, 2:10pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Kevin Day , BUGTRAQ@netspace.org Subject: Re: KKIS.05051999.003b Cc: security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 6, 2:10pm, Kevin Day wrote: } Subject: Re: KKIS.05051999.003b } > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ } > Report title : Security problem with sockets in FreeBSD's } > implementation of UNIX-domain protocol family. } > Problem found by : Lukasz Luzar (lluzar@security.kki.pl) } > Report created by : Robert Pajak (shadow@security.kki.pl) } > Lukasz Luzar (lluzar@security.kki.pl) } > Raport published : 5th May 1999 } > Raport code : KKIS.05051999.003.b } > Systems affected : FreeBSD-3.0 and maybe 3.1, } > Archive : http://www.security.kki.pl/advisories/ } > Risk level : high } > } > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ } > As you know, "The UNIX-domain protocol family is a collection of protocols } > that provides local interprocess communication through the normal socket } > mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses } > filesystem pathnames for addressing." } > The SOCK_STREAM sockets also supports the communication of UNIX file } > descriptors through the use of functions sendmsg() and recvmsg(). } > While testing UNIX-domain protocols, we have found probable bug in } > FreeBSD's implementation of this mechanism. } > When we had run attached example on FreeBSD-3.0 as local user, system } > had crashed imediatelly with error "Supervisor read, page not present" } > in kernel mode. } > } } Here's my testing so far: } } 2.2.2 - Vulnerable } 2.2.6 - Vulnerable } 2.2.8 - Vulnerable } 3.1-RELEASE - Ran 15 minutes, no crash. I'd be willing to bet that 3.0-RELEASE is also vulnerable. I believe Matt Dillon fixed this earlier this year in revisions 1.38/1.39 (-CURRENT branch January 21, 1999) and 1.37.2.1 (RELENG_3 branch February 15, 1999) of sys/kern/uipc-usrreq.c. The RELENG_3 branch fix was committed just before 3.1-RELEASE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message