Date: Sat, 8 Sep 2001 06:43:49 -0400 (EDT) From: "Andrew R. Reiter" <arr@watson.org> To: Kris Kennaway <kris@obsecurity.org> Cc: security@freebsd.org Subject: Re: netbsd vulnerabilities Message-ID: <Pine.NEB.3.96L.1010908063851.9148A-200000@fledge.watson.org> In-Reply-To: <20010907134427.A55600@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1636531804-999945829=:9148 Content-Type: TEXT/PLAIN; charset=US-ASCII Hey, The attached code fixes the semop bug which is specified in the recent NetBSD security announcement. I'm not positive about hte naming scheme wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made it u_int b/c i saw in sysproto.h that there seemed to be more u_int's instead of size_t's :-) Great logic. Btw, this was written for: FreeBSD aitutaki 4.4-RC FreeBSD 4.4-RC #4: Sat Sep 8 00:38:48 PDT 2001 root@aitutaki:/usr/obj/usr/src/sys/GENERIC i386 Anyway, in terms of there being an exploit or not... From what we (eugene t. and myself) did, basically we can cause the machine to panic and that's about it. Seem to lose control over what occurs b/c we cause copyin to copy 2gigs (iirc) of junk to kernel space... Guh. Also, if you want to do a different patch than what was simply done in what is attached, just keep in mind that nsops should be unsigned 32-bits. Andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead --0-1636531804-999945829=:9148 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="semop-fix.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.NEB.3.96L.1010908064349.9148B@fledge.watson.org> Content-Description: LS0tIGtlcm4vc3lzdl9zZW0uYy5vcmlnCVNhdCBTZXAgIDggMDM6MTE6MjEg MjAwMQ0KKysrIGtlcm4vc3lzdl9zZW0uYwlTYXQgU2VwICA4IDAzOjIwOjIz IDIwMDENCkBAIC02NzIsNyArNjcyLDcgQEANCiBzdHJ1Y3Qgc2Vtb3BfYXJn cyB7DQogCWludAlzZW1pZDsNCiAJc3RydWN0CXNlbWJ1ZiAqc29wczsNCi0J aW50CW5zb3BzOw0KKwl1X2ludAluc29wczsNCiB9Ow0KICNlbmRpZg0KIA0K QEAgLTY4MiwxNyArNjgyLDE4IEBADQogCXJlZ2lzdGVyIHN0cnVjdCBzZW1v cF9hcmdzICp1YXA7DQogew0KIAlpbnQgc2VtaWQgPSB1YXAtPnNlbWlkOw0K LQlpbnQgbnNvcHMgPSB1YXAtPm5zb3BzOw0KKwl1X2ludCBuc29wcyA9IHVh cC0+bnNvcHM7DQogCXN0cnVjdCBzZW1idWYgc29wc1tNQVhfU09QU107DQog CXJlZ2lzdGVyIHN0cnVjdCBzZW1pZF9kcyAqc2VtYXB0cjsNCiAJcmVnaXN0 ZXIgc3RydWN0IHNlbWJ1ZiAqc29wcHRyOw0KIAlyZWdpc3RlciBzdHJ1Y3Qg c2VtICpzZW1wdHI7DQogCXN0cnVjdCBzZW1fdW5kbyAqc3VwdHIgPSBOVUxM Ow0KLQlpbnQgaSwgaiwgZXZhbDsNCisJdV9pbnQgaSwgajsNCisJaW50IGV2 YWw7DQogCWludCBkb193YWtldXAsIGRvX3VuZG9zOw0KIA0KICNpZmRlZiBT RU1fREVCVUcNCi0JcHJpbnRmKCJjYWxsIHRvIHNlbW9wKCVkLCAweCV4LCAl ZClcbiIsIHNlbWlkLCBzb3BzLCBuc29wcyk7DQorCXByaW50ZigiY2FsbCB0 byBzZW1vcCglZCwgMHgleCwgJXUpXG4iLCBzZW1pZCwgc29wcywgbnNvcHMp Ow0KICNlbmRpZg0KIA0KIAlpZiAoIWphaWxfc3lzdmlwY19hbGxvd2VkICYm IHAtPnBfcHJpc29uICE9IE5VTEwpDQpAQCAtNzE4LDE0ICs3MTksMTQgQEAN CiANCiAJaWYgKG5zb3BzID4gTUFYX1NPUFMpIHsNCiAjaWZkZWYgU0VNX0RF QlVHDQotCQlwcmludGYoInRvbyBtYW55IHNvcHMgKG1heD0lZCwgbnNvcHM9 JWQpXG4iLCBNQVhfU09QUywgbnNvcHMpOw0KKwkJcHJpbnRmKCJ0b28gbWFu eSBzb3BzIChtYXg9JWQsIG5zb3BzPSV1KVxuIiwgTUFYX1NPUFMsIG5zb3Bz KTsNCiAjZW5kaWYNCiAJCXJldHVybihFMkJJRyk7DQogCX0NCiANCiAJaWYg KChldmFsID0gY29weWluKHVhcC0+c29wcywgJnNvcHMsIG5zb3BzICogc2l6 ZW9mKHNvcHNbMF0pKSkgIT0gMCkgew0KICNpZmRlZiBTRU1fREVCVUcNCi0J CXByaW50ZigiZXZhbCA9ICVkIGZyb20gY29weWluKCUwOHgsICUwOHgsICVk KVxuIiwgZXZhbCwNCisJCXByaW50ZigiZXZhbCA9ICVkIGZyb20gY29weWlu KCUwOHgsICUwOHgsICV1KVxuIiwgZXZhbCwNCiAJCSAgICB1YXAtPnNvcHMs ICZzb3BzLCBuc29wcyAqIHNpemVvZihzb3BzWzBdKSk7DQogI2VuZGlmDQog CQlyZXR1cm4oZXZhbCk7DQotLS0gc3lzL3NlbS5oLm9yaWcJU2F0IFNlcCAg OCAwMzoyMTowOCAyMDAxDQorKysgc3lzL3NlbS5oCVNhdCBTZXAgIDggMDM6 MjE6MjcgMjAwMQ0KQEAgLTEwMSw3ICsxMDEsNyBAQA0KIGludCBzZW1zeXMg X19QKChpbnQsIC4uLikpOw0KIGludCBzZW1jdGwgX19QKChpbnQsIGludCwg aW50LCAuLi4pKTsNCiBpbnQgc2VtZ2V0IF9fUCgoa2V5X3QsIGludCwgaW50 KSk7DQotaW50IHNlbW9wIF9fUCgoaW50LCBzdHJ1Y3Qgc2VtYnVmICosdW5z aWduZWQpKTsNCitpbnQgc2Vtb3AgX19QKChpbnQsIHN0cnVjdCBzZW1idWYg KiwgdV9pbnQpKTsNCiBfX0VORF9ERUNMUw0KICNlbmRpZiAvKiAhX0tFUk5F TCAqLw0KIA0K --0-1636531804-999945829=:9148-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010908063851.9148A-200000>