Date: Fri, 23 Jun 2006 21:45:21 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: src-committers@freebsd.org, cvs-src@freebsd.org, cvs-all@freebsd.org, secteam@freebsd.org Subject: Re: cvs commit: src/sys/compat/linux linux_misc.c Message-ID: <20060623214521.7b1441a6@Magellan.Leidinger.net> In-Reply-To: <200606231849.k5NIncuF041890@repoman.freebsd.org> References: <200606231849.k5NIncuF041890@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Alexander Leidinger <netchild@FreeBSD.org> (Fri, 23 Jun 2006 18:49:38 +0000 (UTC)):
> netchild 2006-06-23 18:49:38 UTC
>
> FreeBSD src repository
>
> Modified files:
> sys/compat/linux linux_misc.c
> Log:
> The linux times syscall can be called with a NULL pointer, so keep cool
> and don't panic.
>
> This fix is different from the patch submitted as it not only prevents
> a NULL-pointer dereference, but also skips some work in this case.
I realized this may be a little bit misleading...
The NULL pointer is used as the destination in a copyout. And it writes
some kind of time values (current time). So this will overwrite parts
at the userland address 0. This will not lead to a kernel panic, but it
will do malicious things to the program which uses the linux times
syscall. So this is not a DoS in any case. The problematic case is when
a linux program uses a NULL pointer in the times syscall conditionally.
This may render the service which uses such a linux program useless
sometimes. For programs which use NULL there every time, this is not a
DoS, it's just a normal bug (e.g. you can't use Oracle 10g Express)
which prevents the use of this program.
So this is not a a huge security flaw, it's more a not so small
inconvenience. Since the RELENG_x_y branches are under control of the
secteam, I used the "Security:" mark up to encode the possible need to
merge this (I'm assuming Oracle 10g is important enough that we want
our users to be able to run it).
For the curious people: there are two more patches needed to run Oracle
10g. They involve linprocfs and pseudofs. I will take care of them
later (and if this commit is subject to a merge to RELENG_x_y, the other
two patches should be too, but this will the powers with hats
decide...).
Bye,
Alexander.
--
...and that is how we know the Earth to be banana-shaped.
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060623214521.7b1441a6>