From owner-freebsd-security  Mon Dec 10 11: 8:23 2001
Delivered-To: freebsd-security@freebsd.org
Received: from elvis.mu.org (elvis.mu.org [216.33.66.196])
	by hub.freebsd.org (Postfix) with ESMTP
	id F262C37B44B; Mon, 10 Dec 2001 11:08:03 -0800 (PST)
Received: by elvis.mu.org (Postfix, from userid 1192)
	id A414681D01; Mon, 10 Dec 2001 13:08:03 -0600 (CST)
Date: Mon, 10 Dec 2001 13:08:03 -0600
From: Alfred Perlstein <bright@mu.org>
To: Mike Tancsa <mike@sentex.net>
Cc: security@freebsd.org, alc@freebsd.org
Subject: Re: AIO vulnerability (from bugtraq)
Message-ID: <20011210130803.B92148@elvis.mu.org>
References: <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca>; from mike@sentex.net on Mon, Dec 10, 2001 at 01:18:29PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

* Mike Tancsa <mike@sentex.net> [011210 12:25] wrote:
> 
> For those not on bugtraq,

Yah, this needs to be fixed, do note that AIO is not enabled by
default in FreeBSD and the warning is pretty clear.

Alan, can you take a look at this?  I'd really like to get AIO
enabled by default one of these days. :)

> 
> 	---Mike
> 
> ------------------------------------------------------------------------------
> Soniq Security Advisory
> David Rufino <dr@soniq.net> Dec 9, 2001
> 
> Race Condition in FreeBSD AIO implementation
> http://elysium.soniq.net/dr/tao/tao.html
> ------------------------------------------------------------------------------
> 
> RISK FACTOR: LOW
> 
> SYNOPSIS
> 
> AIO is a POSIX standard for asynchronous I/O. Under certain conditions,
> scheduled AIO operations persist after an execve, allowing arbitrary
> overwrites in the memory of the new process. Combined with the permission
> to execute suid binaries, this can yield elevated priviledges.
> Currently VFS_AIO is not enabled in the default FreeBSD kernel config,
> however comments in ``LINT'' suggest security issues have been known about
> privately for some time:
> 
> # Use real implementations of the aio_* system calls.  There are numerous
> # stability issues in the current aio code that make it unsuitable for
> # inclusion on shell boxes.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message