From owner-freebsd-security Tue Sep 17 6:59:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4CB237B401 for ; Tue, 17 Sep 2002 06:59:35 -0700 (PDT) Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C0C643E65 for ; Tue, 17 Sep 2002 06:59:35 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id g8HDxYX4002258 for ; Tue, 17 Sep 2002 06:59:34 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id g8HDxYmU002257 for security@FreeBSD.ORG; Tue, 17 Sep 2002 06:59:34 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Tue, 17 Sep 2002 06:59:34 -0700 From: David Schultz To: security@FreeBSD.ORG Subject: race in i386_set_ldt(2) Message-ID: <20020917135934.GA2215@HAL9000.homeunix.com> Mail-Followup-To: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There seems to be a nasty exploitable race in i386_set_ldt(2), as David Xu pointed out some months ago in i386/38021. As this is a vulnerability when the kernel is compiled with the USER_LDT option, I thought I'd do my part to try to convince someone to commit a fix. Although David's patch has a few nits in it, his basic approach of copying the descriptors into a temporary kernel buffer is necessary if i386_set_ldt() is to be both safe and transactional. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message