Date: Fri, 7 Sep 2001 17:10:16 -0400 (EDT) From: "Andrew R. Reiter" <arr@watson.org> To: Kris Kennaway <kris@obsecurity.org> Cc: Rob Simmons <rsimmons@wlcg.com>, freebsd-security@FreeBSD.ORG Subject: Re: netbsd vulnerabilities Message-ID: <Pine.NEB.3.96L.1010907165248.861B-100000@fledge.watson.org> In-Reply-To: <20010907134427.A55600@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 7 Sep 2001, Kris Kennaway wrote:
:
:I don't know about this one.. we may be. Someone will have to look
:into it.
In terms of -015 vuln from netbsd:
1) semop: -STABLE (44-RC from 8/28/01) seems to be vulnerable. If we
look at sys/kern/sysv_sem.c, we can see that we do:
int
semop(p, uap)
struct proc *p;
register struct semop_args *uap;
{
int semid = uap->semid;
int nsops = uap->nsops;
nsops, defined from the man page and sysproto.h semop_args structure,
is _unsigned_. So, I'd say we are vulnerable to #1. Solution: make the
local nsops variable unsigned (size_t might be better?)
2) still need to look into, will follow-up if no one else has when i loo
into it
3) same as 2
hpe this helps.
*-------------.................................................
| Andrew R. Reiter
| arr@fledge.watson.org
| "It requires a very unusual mind
| to undertake the analysis of the obvious" -- A.N. Whitehead
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010907165248.861B-100000>