From owner-freebsd-security Mon Dec 10 11:23:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from parmenion.hosting.swbell.net (parmenion.hosting.swbell.net [216.100.98.30]) by hub.freebsd.org (Postfix) with ESMTP id 617D537B419; Mon, 10 Dec 2001 11:23:34 -0800 (PST) Received: from imimic.com (adsl-216-63-78-18.dsl.hstntx.swbell.net [216.63.78.18]) by parmenion.hosting.swbell.net id OAA27556; Mon, 10 Dec 2001 14:23:20 -0500 (EST) [ConcentricHost SMTP Relay 1.14] Message-ID: <3C150BA7.9D5EC72E@imimic.com> Date: Mon, 10 Dec 2001 13:23:19 -0600 From: "Alan L. Cox" Organization: iMimic Networking, Inc. X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: Alfred Perlstein Cc: Mike Tancsa , security@freebsd.org, alc@freebsd.org Subject: Re: AIO vulnerability (from bugtraq) References: <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca> <20011210130803.B92148@elvis.mu.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Will do. You might also send it to tegge. Alfred Perlstein wrote: > > * Mike Tancsa [011210 12:25] wrote: > > > > For those not on bugtraq, > > Yah, this needs to be fixed, do note that AIO is not enabled by > default in FreeBSD and the warning is pretty clear. > > Alan, can you take a look at this? I'd really like to get AIO > enabled by default one of these days. :) > > > > > ---Mike > > > > ------------------------------------------------------------------------------ > > Soniq Security Advisory > > David Rufino Dec 9, 2001 > > > > Race Condition in FreeBSD AIO implementation > > http://elysium.soniq.net/dr/tao/tao.html > > ------------------------------------------------------------------------------ > > > > RISK FACTOR: LOW > > > > SYNOPSIS > > > > AIO is a POSIX standard for asynchronous I/O. Under certain conditions, > > scheduled AIO operations persist after an execve, allowing arbitrary > > overwrites in the memory of the new process. Combined with the permission > > to execute suid binaries, this can yield elevated priviledges. > > Currently VFS_AIO is not enabled in the default FreeBSD kernel config, > > however comments in ``LINT'' suggest security issues have been known about > > privately for some time: > > > > # Use real implementations of the aio_* system calls. There are numerous > > # stability issues in the current aio code that make it unsuitable for > > # inclusion on shell boxes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message