From owner-freebsd-hackers@FreeBSD.ORG  Sat Nov 27 17:59:53 2010
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1B40B106566B
	for <hackers@freebsd.org>; Sat, 27 Nov 2010 17:59:53 +0000 (UTC)
	(envelope-from ed@80386.nl)
Received: from mx0.hoeg.nl (mx0.hoeg.nl [IPv6:2a01:4f8:101:5343::aa])
	by mx1.freebsd.org (Postfix) with ESMTP id AC1858FC17
	for <hackers@freebsd.org>; Sat, 27 Nov 2010 17:59:52 +0000 (UTC)
Received: from [10.0.0.100] (d83-180-12-133.cust.tele2.nl [83.180.12.133])
	(Authenticated sender: ed)
	by mx0.hoeg.nl (Postfix) with ESMTPSA id BEBF72A28CE1;
	Sat, 27 Nov 2010 18:59:51 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: Ed Schouten <ed@80386.nl>
In-Reply-To: <20101126122639.4fd47cba@ukr.net>
Date: Sat, 27 Nov 2010 18:59:50 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <9543140C-4B74-49FE-986C-FF029123416B@80386.nl>
References: <20101126122639.4fd47cba@ukr.net>
To: Ivan Klymenko <fidaj@ukr.net>
X-Mailer: Apple Mail (2.1082)
Cc: hackers@freebsd.org
Subject: Re: Simple kernel attack using socketpair.
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Nov 2010 17:59:53 -0000

On Nov 26, 2010, at 11:26, Ivan Klymenko wrote:
> Rumor has it that this vulnerability applies to FreeBSD too, with the
> replacement SOCK_SEQPACKET on SOCK_DGRAM...
>=20
> http://lkml.org/lkml/2010/11/25/8
>=20
> What do you think about this?

I'm not sure, but it seems to be related to some kind of stack overflow =
in close(), where each close() on a socket generates an additional =
close() call of the inflight sockets.

--=20
Ed Schouten <ed@80386.nl>
WWW: http://80386.nl/