From owner-freebsd-security@FreeBSD.ORG  Mon Aug 11 09:38:33 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DB94837B401
	for <security@freebsd.org>; Mon, 11 Aug 2003 09:38:33 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1B38343FBF
	for <security@freebsd.org>; Mon, 11 Aug 2003 09:38:33 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h7BGcCAL065492;
	Mon, 11 Aug 2003 12:38:12 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)h7BGcB8X065489;
	Mon, 11 Aug 2003 12:38:12 -0400 (EDT)
Date: Mon, 11 Aug 2003 12:38:11 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Jason Dambrosio <jason@wiz.cx>
In-Reply-To: <20030811063316.GA85000@tekgenesis.net>
Message-ID: <Pine.NEB.3.96L.1030811123553.64564A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: FreeBSD Security Advisories <security@freebsd.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:09.signal
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2003 16:38:34 -0000


On Sun, 10 Aug 2003, Jason Dambrosio wrote:

> > IV.  Workaround
> > 
> > There is no workaround for the local denial-of-service attack.
> 
>     Wouldn't a possible workaround be, to load a kld module that would
> replace the ptrace(2) system call with a patched one? I remember doing
> such a trick for modifying other system calls using kld modules... 

Yes; it should be fairly trivial to write a kernel module that modifies
the system call vector to wrap the current ptrace() and performs extra
run-time argument checking.  Off-hand, I don't remember if the ptrace() 
argument in question involves an extra copyin() -- if so, a competent
attacker could race the system call wrapper, but if not, it should be
pretty secure.  I was thinking about writing one while driving to work
today; I may get around to it this evening sometime, unless someone else
gets there first.  I know we support ptrace() in the Linux emulation on
-current (maybe also -stable) -- I'm not sure if you'd also need to wrap
that interface or not. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories