From owner-cvs-all@FreeBSD.ORG Fri Jun 23 19:44:45 2006 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 261BD16A49E; Fri, 23 Jun 2006 19:44:45 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from www.ebusiness-leidinger.de (jojo.ms-net.de [84.16.236.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36E3B43D5C; Fri, 23 Jun 2006 19:44:40 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from Andro-Beta.Leidinger.net (p54A5E09F.dip.t-dialin.net [84.165.224.159]) (authenticated bits=0) by www.ebusiness-leidinger.de (8.13.6/8.13.6) with ESMTP id k5NJd27v089558; Fri, 23 Jun 2006 21:39:02 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from Magellan.Leidinger.net (Magellan.Leidinger.net [192.168.1.1]) by Andro-Beta.Leidinger.net (8.13.4/8.13.3) with ESMTP id k5NJidQm018486; Fri, 23 Jun 2006 21:44:40 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Date: Fri, 23 Jun 2006 21:45:21 +0200 From: Alexander Leidinger To: src-committers@freebsd.org, cvs-src@freebsd.org, cvs-all@freebsd.org, secteam@freebsd.org Message-ID: <20060623214521.7b1441a6@Magellan.Leidinger.net> In-Reply-To: <200606231849.k5NIncuF041890@repoman.freebsd.org> References: <200606231849.k5NIncuF041890@repoman.freebsd.org> X-Mailer: Sylpheed-Claws 2.3.1 (GTK+ 2.8.19; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new Cc: Subject: Re: cvs commit: src/sys/compat/linux linux_misc.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jun 2006 19:44:45 -0000 Quoting Alexander Leidinger (Fri, 23 Jun 2006 18:49:38 +0000 (UTC)): > netchild 2006-06-23 18:49:38 UTC > > FreeBSD src repository > > Modified files: > sys/compat/linux linux_misc.c > Log: > The linux times syscall can be called with a NULL pointer, so keep cool > and don't panic. > > This fix is different from the patch submitted as it not only prevents > a NULL-pointer dereference, but also skips some work in this case. I realized this may be a little bit misleading... The NULL pointer is used as the destination in a copyout. And it writes some kind of time values (current time). So this will overwrite parts at the userland address 0. This will not lead to a kernel panic, but it will do malicious things to the program which uses the linux times syscall. So this is not a DoS in any case. The problematic case is when a linux program uses a NULL pointer in the times syscall conditionally. This may render the service which uses such a linux program useless sometimes. For programs which use NULL there every time, this is not a DoS, it's just a normal bug (e.g. you can't use Oracle 10g Express) which prevents the use of this program. So this is not a a huge security flaw, it's more a not so small inconvenience. Since the RELENG_x_y branches are under control of the secteam, I used the "Security:" mark up to encode the possible need to merge this (I'm assuming Oracle 10g is important enough that we want our users to be able to run it). For the curious people: there are two more patches needed to run Oracle 10g. They involve linprocfs and pseudofs. I will take care of them later (and if this commit is subject to a merge to RELENG_x_y, the other two patches should be too, but this will the powers with hats decide...). Bye, Alexander. -- ...and that is how we know the Earth to be banana-shaped. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137