From owner-freebsd-security  Mon Dec 10 11:23:39 2001
Delivered-To: freebsd-security@freebsd.org
Received: from parmenion.hosting.swbell.net (parmenion.hosting.swbell.net [216.100.98.30])
	by hub.freebsd.org (Postfix) with ESMTP
	id 617D537B419; Mon, 10 Dec 2001 11:23:34 -0800 (PST)
Received: from imimic.com (adsl-216-63-78-18.dsl.hstntx.swbell.net [216.63.78.18])
	by parmenion.hosting.swbell.net
	id OAA27556; Mon, 10 Dec 2001 14:23:20 -0500 (EST)
	[ConcentricHost SMTP Relay 1.14]
Message-ID: <3C150BA7.9D5EC72E@imimic.com>
Date: Mon, 10 Dec 2001 13:23:19 -0600
From: "Alan L. Cox" <alc@imimic.com>
Organization: iMimic Networking, Inc.
X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 5.0-CURRENT i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Alfred Perlstein <bright@mu.org>
Cc: Mike Tancsa <mike@sentex.net>, security@freebsd.org,
	alc@freebsd.org
Subject: Re: AIO vulnerability (from bugtraq)
References: <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca> <20011210130803.B92148@elvis.mu.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Will do.  You might also send it to tegge.

Alfred Perlstein wrote:
> 
> * Mike Tancsa <mike@sentex.net> [011210 12:25] wrote:
> >
> > For those not on bugtraq,
> 
> Yah, this needs to be fixed, do note that AIO is not enabled by
> default in FreeBSD and the warning is pretty clear.
> 
> Alan, can you take a look at this?  I'd really like to get AIO
> enabled by default one of these days. :)
> 
> >
> >       ---Mike
> >
> > ------------------------------------------------------------------------------
> > Soniq Security Advisory
> > David Rufino <dr@soniq.net> Dec 9, 2001
> >
> > Race Condition in FreeBSD AIO implementation
> > http://elysium.soniq.net/dr/tao/tao.html
> > ------------------------------------------------------------------------------
> >
> > RISK FACTOR: LOW
> >
> > SYNOPSIS
> >
> > AIO is a POSIX standard for asynchronous I/O. Under certain conditions,
> > scheduled AIO operations persist after an execve, allowing arbitrary
> > overwrites in the memory of the new process. Combined with the permission
> > to execute suid binaries, this can yield elevated priviledges.
> > Currently VFS_AIO is not enabled in the default FreeBSD kernel config,
> > however comments in ``LINT'' suggest security issues have been known about
> > privately for some time:
> >
> > # Use real implementations of the aio_* system calls.  There are numerous
> > # stability issues in the current aio code that make it unsuitable for
> > # inclusion on shell boxes.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message