Date: Sat, 18 Sep 2004 8:01:58 -0000 From: "Devon H. O'Dell" <dodell@sitetronics.com> To: "Matt Emmerton" <matt@gsicomp.on.ca>, "Mike Meyer" <mwm@mired.org> Cc: "gerarra@tin.it"@FreeBSD.ORG Subject: Re: FreeBSD Kernel buffer overflow Message-ID: <E1C8YII-000AGa-OV@smp500.sitetronics.com>
next in thread | raw e-mail | index | archive | help
--------- Original Message -------- From: Matt Emmerton <matt@gsicomp.on.ca> To: Mike Meyer <mwm@mired.org> Cc: viro@parcelfarce.linux.theplanet.co.uk, gerarra@tin.it, freebsd-hackers@freebsd.org Subject: Re: FreeBSD Kernel buffer overflow Date: 18/09/04 05:41 > > > ----- Original Message ----- > From: "Mike Meyer" <mwm@mired.org> > To: "Matt Emmerton" <matt@gsicomp.on.ca> > Cc: <viro@parcelfarce.linux.theplanet.co.uk>; "Avleen Vig" > <lists-freebsd@silverwraith.com>; <freebsd-hackers@freebsd.org>; > <gerarra@tin.it> > Sent: Saturday, September 18, 2004 1:22 AM > Subject: Re: FreeBSD Kernel buffer overflow > > > > In <001801c49d38$1c8cb790$1200a8c0@gsicomp.on.ca>, Matt Emmerton > <matt@gsicomp.on.ca> typed: > > > I disagree. It really comes down to how secure you want FreeBSD to be, > and > > > the attitude of "we don't need to protect against this case because > anyone > > > who does this is asking for trouble anyway" is one of the main reason > why > > > security holes exist in products today. (Someone else had brought this > up > > > much earlier on in the thread.) > > > > You haven't been paying close enough attention to the discussion. To > > exploit this "security problem" you have to be root. If it's an > > external attacker, you're already owned. > > I'm well aware of that fact. That's still not a reason to protect against > the problem. > > If your leaky bucket has 10 holes in it, would you at least try and plug > some of them? > > -- > Matt Emmerton So should we stop the command ``shutdown -h now'' from working for root? After all, he can DoS the system with it? How about this: let's disallow root from loading kernel modules! That way this can't ever happen. Even better: Why don't we just not boot into a usable environment! Then we have NO security holes. You guys are failing to see: ROOT HAS OMNIPOTENT POWER. SOMEBODY MUST HAVE OMNIPOTENT POWER. THIS IS NOT A BUG. THERE IS NOTHING TO SEE HERE, MOVE ON. Not to be sarcastic, but you guys are missing the problem. The problem was that someone was unaware of a kernel API. When you start programming for the kernel, you need to make sure that the code is secure. If you think this is a problem, take a look at init(8) and learn about securelevels. What happened: someone was unfamiliar with the syscall API. They crashed their system. They screamed wildly, believing they'd found a buffer overflow, when they'd merely overloaded the function stack and screwed up the call. This caused the system to reboot. Solution: make it more clear that syscalls take only 8 arguments. Make it clear that you can pass arguments in a struct to a syscall. Make it clear that many/most syscalls do this anyway. If there's beef on this, take it to doc@. --Devon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1C8YII-000AGa-OV>