From owner-freebsd-security Sat Sep 4 18:20:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 262F315668; Sat, 4 Sep 1999 18:20:45 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id SAA63930; Sat, 4 Sep 1999 18:20:37 -0700 (PDT) (envelope-from dillon) Date: Sat, 4 Sep 1999 18:20:37 -0700 (PDT) From: Matthew Dillon Message-Id: <199909050120.SAA63930@apollo.backplane.com> To: "Brian F. Feldman" , Garrett Wollman , Nick Hibma , FreeBSD -- The Power to Serve , Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: FW: Local DoS in FreeBSD References: <199909050110.SAA63819@apollo.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ::Whatever's in login.conf? :) Would you mind helping me out with ::http://www.FreeBSD.org/~green/sbsize2.patch? The KASSERT() fails ::in some cases, which I need help tracking down. ::... :: Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ : : Hmmm. I see a problem, but it may not be the cause of : your problem. 'ui_proccnt == 0 && ui_sbsize == 0' may not be : sufficient to determine when a uip can be deleted, because a root : process can change it's uid (resulting in the old uip's proccnt : possibly going to 0) and a socket buffer can be set to 0-length : during a shutdown() operation, possibly causing ui_sbsize to go to : zero. : : Thus both fields may end up zero, a reference to the uip : may remain associated with the socket, and chgproccnt may : free the underlying uip. : : I think what you need is a direct pointer reference to : the uip from the socket. This would require a ui_refcount : be kept on the uip, since ui_proccnt isn't really a : general ref count in of itself. : : I suspect that you may still hit the KASSERT, that there : is something we are still missing, but this should help. Oh wait, I don't know which KASSERT() you were refering to. If you were refering to the first one (uip != NULL), I think it can occur as I say. If it is refering to the second one, (uip->ui_sbsize >= 0), then I'm not sure. Either way I would get rid of chgsbsize() and instead change the chgproccnt() function to take a third argument, or make it even more general by passing a field type and a delta to allow it to be scaled to other things. It may be as simple as the KASSERT winding up being wrong. I would also instrument the panic portion of the KASSERT to display more information, such as value of 'diff' and the old value of ui_sbsize when uip is not NULL. That may make the problem more obvious. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message